You need to manually create a user role before assigning the role to the Web SSO user. You need to create a role on all the cluster hosts and on all the zones, if applicable.
Log in as root (su - root) to the Sun OTP host.
Create a new role account.
For example, create a role by name ssorole.
roleadd -s /bin/pfksh -d /export/home/ssorole -K defaultpriv=basic -P "Cluster Management,Web Console Management,Cluster Operation,Sun Cluster Commands,All" ssorole
It is mandatory to add a profile to the role that you create. Else, you will not be able to perform the administration task on a cluster. For more information on the roleadd command, see the roleadd man page.
Change the password for the new role.
For example
passwd ssorole
Enter the new password for the role and confirm the password.
Create a home directory for the role.
mkdir /export/home/ssorole
chown ssorole:other /export/home/ssorole
Restart the name service cache daemon for the new role to take effect.
Perform this step after all the above steps are performed on all the cluster hosts and on all the zones, if applicable.
svcadm restart system/name-service-cache