We've been unable to integrate AA OSP (SAML/OAuth) with certain major IT systems (Palo Alto, for one) inside our company specifically because AA's OSP forces you to use self-signed SAML/OAuth Signing certificates. It's not that its a problem that AA is relying on an unrecognized CA, but that the Issuer and Subject of the SAML/OAuth "Signing" certificate are the same value, thus truly "self-signed" in the worst sense.
AA can resolve this in one of two ways, though it would be best if AA allowed both options:
1) Generate an actual AA-internal Root CA, and then issue separate SAML/OAuth Signing and Encryption certificates off of that AA-internal Root CA.
2) Allow customers to upload externally-signed Signing and Encryption certificates to be used instead.