for fsso with citrix on Terminal servers, you would need also Terminal Server Agents on each TS.
Without it, each new user will overwrite previous user. Why, because the traffic will leave server from same IP. You can't have multiple users on same IP. TS Agent will allocated particular port range to each user as a way to distinguish the users. These ports will be used for users' traffic. In traffic logs for these users, you would notice that originating port will be from a range of ports the user got allocated. In FortiGate run: di de authd fsso list
If there is an antivirus r similar on the TS server, it will likely proxy the traffic before it leaves TS and will also change the allocated ports as it is not transparent. This will result in traffic not matching the policy...
This, in general, works in most cases.