The issue here is caused by a mismatch in the certificates. The default certificates, which are being used by SAML, were signed with the Full Qualified Domain Name.
Customer was trying to log in using the IP Address of the PAM Server instead of using its FQDN. This was causing a handshake exception.
In the PAM Client log file (logs.log) we found the following error message:
<yyyy-mm-dd hh:mm:ss> DEBUG - javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching <PAM Server FQDN> found.