Last week I was installing vSphere 5.1, which includes the SSO component in an environment with a Forest domain and many child domains. I noticed some very strange behavior when setting up permissions within vCenter when using universal security groups that existed at the forest root domain, but had members from child domains.
I submitted an SR to VMware and got notified today that they are looking into the issue with RSA and that a fix will be released at a later time. In the meanwhile, they have published a KB (within the last 30 days) describing the scenario and a work-around.
The knowledge base article is KB2037410. I believe a fix is being developed, but I can’t speak to it at this time.