Hi, since nobody here could help me. I did more research, and finally got SSO running.
I had help from a Keyshield SSO developer, who, finally solved the problem. He changed some configs in the Keyshield-Server.
Sadly I can't say, what in detail he changed.
To get SSO logs can be enabled by ssh command: set samltrace level DEBUG
To view the logs, you have to look in the Realtime Monitoring Tool>Trace and Log Central>Remote Browse>servername>System>Cisco SSO>log