I thought I'd report back and let you know I got to the bottom of the issue, it was around the fact that our AD has been organised where groups and users are in different locations, and the automatically detected AD settings in SSO weren't returning the users correctly. Strange I know but it seems that deleting and recreating the detected entries with slightly modified base user and group dn strings all fell into place.
I thought it was strange having done this install countless times without this kind of issue.