When using Create SAML Token assertion, in the SAML Response we require the <ds:signature> to be included in the <saml2:Assertion> section but it only appears in the <samlp2:Response> section.
On step 10: Digital Signatures of the Create SAML Token assertion wizard there is a check box for “Sign Assertion with an Enveloped Signature”. Checking this box will include the <ds:signature> into the <saml2:Assertion>
https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/11-0/policy-assertions/assertion-palette/xml-security-assertions/create-saml-token-assertion.html