I don't believe this solution is supported for operation when servers are down and out of service.
I just went through this myself as we tested such a thing. In the past, without SSO, you could get away re-organizing the CM group to set primary to an available UCM, then you click on login a bunch and eventually you get in.
What's happening there is that the Expressway still believes that those other nodes area available for UDS, and tries to query them. They'll time out and sign in will fail, but you can press sign in again and maybe hit another one.
With SSO this is even worse as the same mechanism will be used to attempt to validate tokens, which will fault as the host isn't up, and leads to token revocation/expiry.
I'd be more than happy to hear that there's a way to support this, which maybe there will be in the future, but as far as I can tell when you have a UCM offline this is what happens with Jabber and MRA at least.