I'm doing a POC of VMware Horizon 8 and we're trying to get TrueSSO setup with Okta as the IDP. When the UAG is set to SAML and Passthrough, the Okta SAML part works fine then it prompts for credentials so that part of the login process works fine. Its when I change over the UAGs to SAML authentication only that things stop working. When you try to go in through the Okta App or the Horizon Client, it successfully authenticates with Okta and in the case of the Horizon Client, passes back to the horizon client but then fails on the TrueSSO part. 

I went through the TrueSSO setup guide and the TrueSSO + Okta SAML guides. I've also used the fling for troubleshooting TrueSSO but the error that I get when performing an enrollment test does not help out very much in diagnosing the issue. The issue seems to be something to do with my CA but I don't even know where to start in diagnosing this. I've google'd the error and someone on reddit had the same issue but no resolution was ever posted. 

As this is a POC, it is a trial and vmware support isn't an option. I've attached some pictures. The horizon client error is after Okta sends me back to the Horizon client. The other picture shows the output of the Enrollment Server fling running the enrollment test - its failing to get a Cert from my CA but the reason is pretty generic.