Yep - an error condition would be useful.

And also when testing this, ensure that the DNS is resolving to the IP address you expect (i.e. you might need to flush the DNS cache on your test host after changing the A record on the DNS server)

As @ahollifield also pointed out, a valid portal cert must be assigned to each PSN.

I just tested this in my setup and it works on both nodes. Although in fairness, these are all-in-one-nodes (PAN/MNT/PSN). I don't have a dual standalone PSN setup to test with at the moment. But I don't see why this wouldn't also work there.

NB: The biggest challenge with Sponsor Portal not working is that the Primary Admin node MUST be operational for the Sponsor Portal to work. So if you killed off your PAN as part of the test, then swapping the DNS to the other PSN won't work, because PAN is dead. Yes you can launch the web portal login page successfully, but your logins will be refused. See below:

sorry, its not working on both PSN itw working only if i keep portal by IP address and not name if using name like sponser.mydomin.com its not working and through certificate  HSTS error. we used 3rd party SAN certificate and include each ISE PSN as SAN in addition to sponser.mydomin.com but not working .  what i notice is that when certificate  HSTS error showing and click on certificate detail its using PAN admin certificate despite am using dedicated portal certificate. is this mean PAN admin certificate should include SAN for sponser.mydomin.com as well . if yes why since  my admin PAN certificate is internal CA and i want 3rd party certificate for my sponsor.