I don't know if I'll have the right answers for you but based on your comment "From the web using cnXXXX.awmdm.com we are not redirected to Okta and get "Invalid credentials, Try again." 

If you go to in your browser: https://cnXXXX.awmdm.com/mydevice/Login?gid=OG

You should be redirected to WS1 Access and then Redirected to Okta.  If this is not happening then you most likely have an issue in Enterprise Integration -> Directory Services (Specifically Under SAML Settings)

If you are having a problem on the return, its probably an issue with the values being passed in the response are not matching the UEM user.