Generally slow logon times mean something is being blocked.
Just to test, can you change that role to have an allowall and see if it speeds up?
If so, remove the allowall and then use the "show datapath session table <client-ip> | include D" command to see what is being blocked during the logon process.