When you enroll MAM to CEM server through Citrix Gateway, you may observe password box pops-up repeatedly without any error. It means your password is correct but SSO from Citrix Gateway to CEM server fails.  
Follow is the sample of Secure Hub's debug log. 

" 2022-06-22T14:50:06.638+0800 ",<X1_NETWORKING>,DEBUG1 (6),+[X1NetworkRequest startNetworkRequest:withRequestParams:withSuccessBlock:failureBlock:andAuthenticationChallengeHandler:andSessionManager:]_block_invoke,"request with id 4 succeeded with httpResponse code 401",Active,com.apple.main-thread,103,Secure Hub,/Users/jenkins/jenkins/workspace/iOS_SecureHub/AppStore/MDM/Common/Source/X1NetworkRequest.m,536
" 2022-06-22T14:50:06.741+0800 ",<CAMAUTH>,INFO (4),+[CAMAsyncHTTPImpl debugLogHTTPResponse:data:error:requestID:],"HttpResponse#10: 401 (unauthorized) from https://<XM gateway FQDN>/cvpn/https/<MDM enroll FQDN>:8443/Citrix/Authentication/auth/v1/token with data length 15",-,com.apple.root.default-qos,c947,Secure Hub,/Users/jenkins/jenkins/workspace/auth-manager-sdk_Release_21.10.5/AuthManager/AuthManager/CAMAsyncHTTPImpl.m,324
" 2022-06-22T14:50:06.972+0800 ",<CAMAUTH>,INFO (4),+[CAMAsyncHTTPImpl debugLogHTTPResponse:data:error:requestID:],"HttpResponse#12: 401 (unauthorized) from https://<XM gateway FQDN>/cvpn/https/<MDM enroll FQDN>:8443/Citrix/Authentication/CitrixAGBasic/Authenticate  with data length 15",-,com.apple.root.default-qos,2f03,Secure Hub,/Users/jenkins/jenkins/workspace/auth-manager-sdk_Release_21.10.5/AuthManager/AuthManager/CAMAsyncHTTPImpl.m,324
" 2022-06-22T14:50:06.972+0800 ",<CAMAUTH>,ERROR (2),-[CAMAGSSOAuthenticator startAuthWithTokenRequest:startUrl:context:]_block_invoke,"CitrixAGBasic SSO failed (response-status 401) (headers {
 "Content-Type" = "application/vnd.citrix.requesttokenresponse+xml";
" 2022-06-22T14:50:06.973+0800 ",X1AuthController,INFO (4),-[AuthController shouldAssumeBadCredentialsForCitrixAGBasic401ResponseForStore:],"Authentication error received CitrixAGBasic 401 Response.",-,com.apple.root.default-qos,2f03,Secure Hub,/Users/jenkins/jenkins/workspace/iOS_SecureHub/AppStore/Me@Work/Me@Work/X1Auth/AuthController.m,2163
" 2022-06-22T14:50:06.973+0800 ",<CAMAUTH>,INFO (4),-[CAMAuthController shouldAssumeBadCredentialsForCitrixAGBasic401ResponseForStore:],"called for store <CAMStoreID: {length=16,bytes=0x732483c538b36fa1cb439dc21aebd538}>, returning 1",-,com.apple.root.default-qos,2f03,Secure Hub,/Users/jenkins/jenkins/workspace/auth-manager-sdk_Release_21.10.5/AuthManager/AuthManager/CAMAuthController.m,531
" 2022-06-22T14:50:07.631+0800 ",X1AuthController,INFO (4),-[AuthController fulfillAuthRequirements:customForms:completion:error:],"Fullfill authentication requirements after 401 Response received",-,com.apple.root.default-qos,3003,Secure Hub,/Users/jenkins/jenkins/workspace/iOS_SecureHub/AppStore/Me@Work/Me@Work/X1Auth/AuthController.m,257

Problem Cause

Single-Sign-On from Citrix Gateway to CEM server fails. 
In Citrix Gateway Authentication > LDAP > Servers, SSO Name Attribute is mismatch with the setting Use search by in LDAP configuration of CEM Server. 
For example, if SSO Name Attribute is set to UserPrincipalName, but Use search by is set to sAMAccountName, the symptom will display. 

Note: If SSO Name Attribute on Citrix Gateway is not configured, Server Logon Name Attribute will be used in SSO.