Spent some time with support over the weekend on this issue. When failing over to the secondary SSO node the following error was displayed on the web client:
Failed to communicate with the vCenter Single Sign On Server http://\webapps\sso-adminServer\WEB-INF\web.xml
This makes the secondary node the same as the primary, you then have to ensure active passive access to the SSO nodes is configured on the load balancer. This also means if a change is made to the primary the web.xml file needs to be manually copied to the secondary. I haven’t completed testing yet, but you may have to restart the SSO service on the secondary node once failover has occurred to allow authentication.
Another useful insight from engineering was the following:
If the primary SSO node fails and VC is restarted while primary node is down then VC will be unable to authenticate user access, because it relies on the admin service running on the primary SSO node. In this scenario the secondary node is basically useless.