When PAM is using SAML authentication, source persistence is required to ensure the user is not sent to a different cluster node during the authentication process. In this case the time it was taking for the user to go through the workflow  was longer then the session persistence was set for. Intermittently this caused the user session and the SAML Authentication token to go to a node other than the one user started the authentication process.

Increase the source address affinity persistence to allow more time in Load Balancer side.