Have you ever seen "Invalid JWT token" in ambari audit log? I get it when knox comes back to ambari after authenticating with something different than LDAP. Deleting the cookies does not work, and I think this is the base of my problem.
Somehow ambari does not like the generated token.
I had a same problem in Ranger UI with Knox SSO, I did following
2.Changed SSO provider url from https://<xxxx>.<xxx>:8443/gateway/knoxsso/api/v1/websso to https://<xxxx>.<xxx>.<xx>:8443/gateway/knoxsso/api/v1/websso
3. set knoxsso.cookie.secure.only=false in Knoxsso topology.
4. changed knoxsso.redirect.whitelist.regex property in knoxsso topology to support new host.
I am able to open ranger UI after above changes :).
Check whether the time is in sync between knox server and ambari server. Check whether ntp service is running in both the machines