This one turns out to be user error. If the CPPM timestamp is too far off from the SRX unreliable results occur.
With a timestamp in the past on the CPPM, authenticated users will eventually show up in the SRX user table, but it could be hours before that happens. Having timestamps in sync is important here...