This video part explains the process to authenticate to the SAP's OnPremise connectivity component via the SAML2 Grant flow where a SAML Token is exchanged for a JWT token that is used eventually to authenticate to the Cloud Foundry component to establish Single Sign-On.
Resources to set up a SAML flow from API Management tenant running in CF by directly authenticating to XSUAA: