SecretStore doesn't read preferences set up one level from the user. Users require Read/Compare ACL to the Prot:SSO attributes on the OUs that they will read.
For example, user Markus is in OU=RSDev.design.digitalairlines. The corporate scripts are in OU=design.digitalairlines. The SecureLogin client does not enforce (for Markus) preferences in design.digitalairlines. You require Read/Compare ACL to the Prot:LSSO attributes on the RSDev OU. The SecureLogin client now enforces the preferences.