Do you see a second MAC authentication in Access Tracker after the authentication?
What are the enforcement profiles returned in each of the authentications?
Please check/post the output of Access Tracker for the first and second authentication.
The generic flow should be:
1) MAC authentication, enforcement profile that triggers the captive portal redirect
2) Web authentication (with SSO in your case), that either sets a role and/or endpoint attribute, and does a CoA to the switch
3) The switch does a port-bounce on the client, when port comes up again, a new MAC authentication is sent to ClearPass. This MAC authentication will now either based on the cached Role, or attribute stored in the endpoint database return the 'normal-access' profile. After which you should have access.
From the description, either the CoA does not trigger or is not executed on the switch, or in the last step the role or endpoint attribute is not evaluated which will return you in the original role.