User is being denied access.
Message seen in logs:
Authorization denied for user <username> as subject for application <app name> with roles
In the settings for the application under Subject Mapping, confirm that the Subject mapping mode for the Front End Authentication (FEA) method is configured for access.
For each front-end authentication method you must define how usernames are mapped to usernames at the target application.
Note that another symptom of this issue is that the application will not appear on the portal for users in the domain that is missing the FEA subject mapping.