1.) Ensure the SharePoint 2013 User Profiles have UPN and Email attributes at a minimum. Please refer to the Microsoft Documentation on the SharePoint Profile Synchronization Service for instructions on properly synchronizing the User Profiles from the Single Sign On User Directory.
2.) If you have configured Single Sign On Policies to protect all SharePoint Requests, you will need to create Un-Protected Realms for the Workflow resources to allow the JSON requests to be proxied to SharePoint without being challenged for Single Sign On credentials. If you have only protected "/redirectjsp/redirect.jsp" with CA Single Sign On Policies, then you do not need to create these Un-Protected Realms. If you are unfamiliar with creating Un-Protected Realms, please refer to the CA Single Sign On Policy Server Configuration Guide for instructions.
3.) The CA Singles Sign On Agent for SharePoint will block the "WWW-Authenticate" header set by the back-end SharePoint server in the 401 response back to the Workflow Manager Client 1.0 by default. This will prevent the authentication/authorization process for the Workflow Manager Client 1.0 to complete and a 401 error will be encountered and the request will fail. To allow the back-end SharePoint Server's WWW-Authenticate header to be delivered back to the Workflow Manager Client 1.0, you need to add the "connection-pool" section in the Server.conf in the "<Service name="forward"> section for versions prior to R12.52 SP1 CR-05, you need to modify the opening "nete:forward" Tag in your ProxyRules.xml file to include the connection-auth="Yes" parameter, and you need to add the "jkEnvVar REMOTE_PORT" setting in the httpd.conf file after the 'jkMountCopy all' entry.
Following is from the R12.52 SP1 Agent for SharePoint 2010 and 2013 Guide;
Configure Web Applications That Use NTLM Authentication
If the web server uses a connection-oriented authentication scheme, configure a connection-oriented connection pool for secure forward request processing.
Important! We highly recommend that you do not configure a connection-oriented connection pool.
Follow these steps:
1. Verify that the value for the JK environment variable REMOTE_PORT is set in the httpd.conf file.
2. Open server.conf and add the following lines in <Service name="forward"> section:
# Pool configuration for connection oriented authentication backend
# connections eg: NTLM.
<connection-pool name="connection oriented authentication">
Defines the time in seconds the connection times out. We recommend that you set a lower value.
Defines the number of connections in the connection pool.
Specifies the status of the connection-oriented connection pools. Set the value to yes to enable the connection-oriented connection pools.
3. Open proxyrules.xml and add the connection-auth attribute to the forward rule.
Example: <nete:forward connection-auth="yes">hostname:port$1</nete:forward>
This will allow the Workflow Manager Client 1.0 to receive the WWW-Authenticate Header and respond with the required Token to allow the request to succeed.
For Agent for SharePoint versions R12.52 SP1 CR-05 or highr, only steps #1 and #3 need to be accomplished since the 'connection-pool' settings have been added to the Server.conf file by default. If you have upgraded to R12.52 SP1 CR-05, then you will need to complete all three steps. You can also tune the default settings to meet your needs.