I'm not completely sure what kind of setup is required for multiple PSCs to be able to cross-validate their SAML tokens. Maybe the steps from this guide are enough, maybe there are some other configuration necessary. Let's hope that someone from vCenter team will join this thread and clarify.
BTW, I'd suggest to check vRO server and vSphere Web client log files just in case to validate that the error is indeed 401 Unauthorized (authentication failures caused by SAML token validation issues) and not some different error, unrelated to authentication.
