Attempting cf login fails with 500 internal server error - 

cf login -a <api system domain> --sso
<500 error occurs in browser on authentication URL).

HAR file shows 500 error returned by IDP when sending SAML request referred by UAA.

Local UAA admin user succeeds but SSO users get login failures.

If the Tanzu UAA SP certificate changed then this can lead to a 500 error when talking to IDP. Verifty SAML service provider credentials certificate in OpsManager > Tanzu Application Service > UAA settings pane. The certificate needs to match one from Identity Provider (IDP). Also verify the IDP metadata to ensure it is correct.

See document on configuring UAA in Tanzu Application Service: https://techdocs.broadcom.com/us/en/vmware-tanzu/platform/elastic-application-runtime/6-0/eart/config-uaa.html