You want to automate the CloudSOC sysadmin role assignment. 

In the Broadcom SaaS' Account Details page, you can configure Group Role Mapping to associate an identity provider group to a product role. If you do this for CASB's System Administrator Product role, the user logging in using Broadcom SSO will have the system admin role as shown below:

Please note that this JIT feature only assigns the role but does not remove the system admin role. However, if you list the group in SSO app allowed user/group list, then removing the user would prevent the user from log into CloudSOC. For example, for Azure SSO shown below, removing the user from the CloudSOCSysAdmin group will block the user from logging into CloudSOC. 

For additional information please refer to tech doc Identity Provider Page.