Configuring Citrix SSO on Citrix Gateway for Citrix Endpoint Management
For details on how to configure Citrix SSO device policies to achieve per app VPN, please check the below document
https://docs.citrix.com/en-us/citrix-endpoint-management/policies/vpn-policy.html
This support article covers the session policy configuration on Citrix Gateway for a Full Device VPN with Citrix SSO
Beyond normal production use, Citrix SSO is a useful troubleshooting to determine if an issue is localised to a custom MAM app, MDX app or apps like SecureWeb from an Endpoint Management perspective or a networking issue.