Checklist:
With Single Sign-On integration, when logging out of an app, no matter whether the redirect_url is specified, it's redirected to the Single Sign-On default login page after logout. 

For example, in /logout handler of a Java app, urlStr is the redirect URL after logout completes:

@RequestMapping(value="/logout", method = GET)
public String logout(HttpServletRequest request, HttpServletResponse response) throws IOException {
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    if (auth != null){
        new SecurityContextLogoutHandler().logout(request, response, auth);
    }
    URL url = new URL(request.getRequestURL().toString());
    String urlStr = "YOUR_REDIRECT_URL";
    return "redirect:" + ssoServiceUrl + "/logout.do?redirect=" + urlStr + "&client_id=" + clientId;
}

In addition to specifying the logout redirect URL as above, the URL must also be added to SSO instance redirect whitelist, otherwise the SSO instance will block the redirect. There are three approaches to implement it.
 

1. Specify allowed redirect_uris when binding an app to SSO instance:

$ cf bind-service my-app my-instance -c example.json
Binding service my-instance to my-app in org my-org / space test as [email protected]...
OK

$ cat example.json
{
  ...
  "redirect_uris": ["https://my-app.example.com/**","http://my-app.example.com/path/to/app"],
  ...
}

2: Configure the app environment variable SSO_REDIRECT_URIS. Just like any other app environment variables, this can be configured via deployment manifest or the `cf set-env` command. This method has a drawback in that it can only be used to configure settings on the first bind operation. Subsequent pushes will not update these values. They can only be updated through the SSO instance dashboard. For this reason, VMware Support recommends option #1 if you require a cli driven workflow.

3: Configure Redirect URIs Whitelist on SSO instance dashboard.