So many days passed. Now I know why it happened. When I create a certification in command line.
keytool -genkey -alias wsria -keyalg RSA -keystore d:/keys/wsriakey
Then I should use the single-sign-on server domain to answer the first question. eg.
sso.wsria.com