How do the CA Single Sign On custom sdk API agents get updated agent keys from the doManagement call function?