Could you confirm that:
(1) vRO is configured with SSO authentication, and shares the same SSO instance with vSphere Web client? This is required in order SAML tokens passed by vSphere Web client when calling vRO REST API to be successfully validated on vRO side.
(2) The user account you use to login to vSphere Web client is also able to login to vRO Java client? If it cannot login to vRO then you should give the group(s) this user belongs to enough access permissions using vRO Java client.