When AM is setup with com.sun.identity.enableUniqueSSOTokenCookie=true, restricted SSO tokens are returned to IG via CDSSO JWT.
When IG presents restricted SSO token for session validation to AM, the process breaks down during com.iplanet.dpro.session.DNOrIPAddressListTokenRestriction#isSatisfied because the dn is empty.
Set com.sun.identity.enableUniqueSSOTokenCookie=true in Server advanced properties and try to do a CDSSO round trip using IG and AM against an IG agent entry in AM.
Use a Java or Web agent in place of the IG agent for IG CDSSO/AmService definitions.
IG agent entry does not have a LDAP_ATTR_NAME (sunIdentityServerDeviceKeyValue) attribute so this loop never happens.