When attempting to load Cloud Access Manager instead of a logon screen an IIS error page is displayed stating;
"Server Error in '/CloudAccessManager/RPSTS/Saml2' Application'
The STS logs located in the logs folder of the STS server may contain the following message as well.
ERROR 2017-05-03 07:32:53,082 76911ms [ 9] [l0EU5qgt8h] - Unable to redirect to the proxy. Failed to load STS configuration.
This can be caused when an application is configured or modified and the certificate being used is incorrect or otherwise corrupt.
Because the configuration may not be loaded immediately the issue may not be immediately apparent
Product defects: 700399 and 700401
RESOLUTION # 1:
The defect number 700399 and 700401 have been fixed in 8.1.2.HF2 and up of Cloud Access Manager.
WORKAROUND # 1:
The application causing the issue should be removed from the Cloud Access Manager by logging in through the Fallback admin page. You will need to know the fallback password to login.
First however, the application at issue needs to be identified. This can be done via the SQL Database. These steps assume Enterprise MS SQL using Microsoft SQL Server Management Studio as an example.
Once you have opened and connected to the database first find and expand 'Databases' > 'CTData' > 'Tables' > 'dbo.FedTrusts'
Right click 'dbo.FedTrusts' and click 'Select Top 1000 Rows' and then scroll right in the bottom window until you find the column called 'encriptionCert'. You are looking for one that displays an error. The below image shows an example of that error. Other data in the row should indicate which application needs to be removed.
Once the application is removed IIS and the STS services will need to be restarted or the entire server can be restarted, but service should be restored within 10 to 20 minutes.
The application will then need to be setup again.