It’s possible that the AM user may overlook this “new” requirement, which involves using the ssoadm command to set the administrative user’s universal ID for AM 7 to include ou=People.
This requirement is clearly documented in the following resource
ssoadm fails in AM (All versions) with FATAL ERROR: Cannot obtain Application SSO token
You are using the universal ID of the administrative user to connect, for example:
uid=amAdmin,ou=People,dc=am,dc=forgerock,dc=org
However, given the amount of information available, it’s understandable that it might be missed.
Note : ssoadm has been deprecated