open SSH to both vcsas and start tcpdump -w packetcapture.pcap
go back to joining the sso domain and try again. once you are able to reproduce the error stop the captures in both vcsas and download them using winscp.
may need to allow winscp connectivity How to allow Shell and SCP access in vCenter 6 Appliance | VIRTUALIZATION BLOG
download pcap files and open them with wireshark to see if the issue is in the middle firewall or connectivity