Apologies for adding to an old thread but this came up in my Google search for the sso domain error. So for completeness here is some more details that will hopefully help new F5 admins like myself.
I used this guide to set up a test SSO: https://support.f5.com/csp/article/K41357230
But I was getting an SSO credentials error when looking at the logging:
"SSO username is empty - SSO is disabled"
"Could not find SSO username, check SSO credential mapping agent setting"
"Could not find SSO password for user '', check SSO credential mapping agent setting"
To resolve this I had to add "SSO Credential Mapping" after my AD Auth in the VPE (visual policy editor).
This resolved the above errors but I was still receiving the "session.logon.last.domain" empty error as Yan mentioned above the fix is to add an "Variable Assign" after the SSO Cred map that contains:
Custom Variable-> session.logon.last.domain
Custom Exression-> <your domain> e.g. mydomain.local
Then SSO worked fine to an IIS server with NLMv2 auth.
I am unsure why the F5 Guide at the top did not work without adding the additional VPE items?