The problem seems to be that in Mendix 9 the SameSite cookie defaults to “Strict” and thus the browser does not forward the session cookie issued by the /SSO/ handler if the login page of your IdP has popped up before (and for the same reason the deeplink also works if you have already logged in via your IdP before and its login page is therefore not opened).
So, setting com.mendix.core.SameSiteCookies (in the custom runtime settings, see https://docs.mendix.com/refguide/custom-settings) to “None” or “Lax” will break the circle.
What did you set in this part?
IndexPage – In special cases—for example, when you want to load a specific theme or bypass a certain single sign-on page—you can modify this constant to redirect to another index page like index3.html or index-mytheme.html.
Because now after login it will go the index.html but you changed that to point to the SSO. So you need to have a index3.html or something like that and that must contain what was in your old index.html without the redirect part.
Regards,
Ronald