Test/LAB-Topology:

Airwatch in Cloud (version 9.2) with on premise VESC/ACC connecting to AD/LDAP in LAN .

On same LAN, a  vIDM SUSE 3.0 Appliance is installed and configured (in VMware Workstation).
Integration between Airwatch and vIDM is fully configured. For directory, compliance, password check, unified catalog.

Topology is very basic as it is a test setup. No (reverse) proxy is deployed.

Internet traffic is forwarded on the Firewall/Router to the vIDM for ports 443 and 5262 (Android).

For iOS SSO, KDC (Kerberos  key distribution center) is initialized on the IDM box, kerberos SRV (Service) records are registered both on the public DNS and on the internet Router.

For Android: the Tunnel root certificate is downloaded from Airwatch (settings/tunnel) and uploaded to vIDM  in the Mobile SSO (for Android) Auth method.

From the Airwatch console, an application configuration is pushed to  the WS1-App, holding the URL of the vIDM.

Difference in my setup is that the AW servers (console, device services server) are not in DMZ but in AW cloud

The issue is that Android SSO is failing:
The VPN tunnel between the device and IDM is opened for configured Apps (WS1 App, VMware browser) , but SSO is failing.
 

The received disconnect as shown in the cert-proxy log (below) happens within few seconds after starting the VMware tunnel App on the Android device.
On the device the connection (key icon) does not dissapear but remains in the taskbar.

User is presented the fallback authentication method on the device as configured in vIDM.  
IDM policies are checked and correctly configured.

Cert-proxy-log in vIDM, right after starting the per App VPN tunnel App on the Android device:

2017-12-06T13:55:29,554 DEBUG (LittleProxy-0-ClientToProxyWorker-7) [;;;] org.littleshoot.proxy.impl.ClientToProxyConnection - (AWAITING_INITIAL): Configuring ChannelPipeline

2017-12-06T13:55:29,557 DEBUG (LittleProxy-0-ClientToProxyWorker-7) [;;;] org.littleshoot.proxy.impl.ClientToProxyConnection - (AWAITING_INITIAL): Enabling encryption of traffic from client to proxy

2017-12-06T13:55:29,559 DEBUG (LittleProxy-0-ClientToProxyWorker-7) [;;;] com.vmware.horizon.utils.KeystoreUtilities - Loading BCFKS stream from BCFIPS

2017-12-06T13:55:29,605 DEBUG (LittleProxy-0-ClientToProxyWorker-7) [;;;] org.littleshoot.proxy.impl.ClientToProxyConnection - (AWAITING_INITIAL): Enabling encryption with SSLEngine: c35be7d[SSLEngine[hostname=null port=-1] SSL_NULL_WITH_NULL_NULL]

2017-12-06T13:55:29,605 DEBUG (LittleProxy-0-ClientToProxyWorker-7) [;;;] org.littleshoot.proxy.impl.ClientToProxyConnection - (AWAITING_INITIAL): Created ClientToProxyConnection

2017-12-06T13:55:29,607 DEBUG (LittleProxy-0-ClientToProxyWorker-7) [;;;] org.littleshoot.proxy.impl.ClientToProxyConnection - (AWAITING_INITIAL) [id: 0xa9a2252e, L:/192.168.1.105:5262 - R:/89.200.0.87:53892]: Connected

2017-12-06T13:55:29,608 DEBUG (LittleProxy-0-ClientToProxyWorker-7) [;;;] org.littleshoot.proxy.impl.ClientToProxyConnection - (DISCONNECTED) [id: 0xa9a2252e, L:/192.168.1.105:5262 ! R:/89.200.0.87:53892]: Disconnected

2017-12-06T13:55:29,608 DEBUG (LittleProxy-0-ClientToProxyWorker-7) [;;;] com.vmware.horizon.certproxy.ClientActivityTracker - Received disconnect from client: /89.200.0.87:53892

Firewall/Router network trace showing a [FIN, ACK] sent from Android device to the vIDM/certproxy on the LAN,at the same moment the certproxy log is showing  "received disconnect from client".