1) ADC version 11.1 52.13 or newer.
2) SSO started failing on internal applications. 
3) Took a trace and found that the request from the client has the authorization header as below:

4) But the same request sent by the NetScaler to backend shows an error that users are not authenticated to get the full access and there is no Authorization header set in the response.

Create below traffic policy and bind it to the NetScaler Gateway virtual server:
add vpn trafficAction bearer_sso_off_profile http -SSO OFF
add vpn trafficPolicy bearer_sso_off_policy "HTTP.REQ.HEADER(\"Authorization\").SET_TEXT_MODE(IGNORECASE).CONTAINS(\"Bearer\")" bearer_sso_off_profile
bind vpn vserver <Gateway_vServer> -policy bearer_sso_off_policy -priority 90

Below ID talks about this behavior change i.e. regarding authorization bearer header:
https://docs.citrix.com/en-us/netscaler/11-1/about-the-netscaler-11-1-release/fixed-issues-in-previous-11-1-builds.html

Reason to change this behavior:
With Office 2016 suite, office clients send Bearer header in authorization header as a negotiation with server. Since this comes on a new connection to 401 lb, we try to process authorization header and return failure, ie a 200OK. Office interprets 200 OK as success and tries actual page with Bearer token. Now, we think that there is some authorization header and go into bridge state. Hence SSO fails.

Fix 1. If 401 LB sees unknown authorization header, send 401 to client
Fix 2. If bearer header is seen while deciding on SSO, corrupt it if SSO is ON and register normal SSO. If we don't corrupt/remove it, when we attempt SSO, 2 authorization headers go to server. This results in 400 from server.