UAAC admin access is required to clean up the leftover metadata groups. Refer to the Create an Admin Client Pivotal Documentation for more information. 

After gaining UAAC admin access, follow the instructions below:

1. Secure Shell (SSH) into the Ops Manager Virtual Machine (VM).

2. Run the following command to find out which identity zone the groups are bound to:

• uaac curl -k /identity-zones | grep subdomain
• If the correct identity zone for the next step is not specified, this error message will be returned: 'CF::UAA::NotFound'

3. To find out which groups are leftover in that subdomain, in this case 'sso', run the following command: 

• uaac -z sso groups or uaac -z sso groups | grep -B1 " id:"

4. Run the following command to delete groups associated with the resource name you are trying to create:

• uaac -z sso group delete mpitts.read

5. Run the same command, uaac -z sso group delete #####.read, for the remaining leftover groups.

6. Confirm that the metadata groups are now removed from UAAC. You should be able to recreate the resources successfully on the SSO dashboard.