Interesting - that blog post implies that the OU must be unique for each service and this kb backs it up: http://kb.vmware.com/kb/2037432 :
The OpenSSL configuration when generating requests must:
- Have the subject alternative name field included in them
- Have unique OrganizationalUnitNames for the components
- Include digitalSignature, keyEncipherment, dataEncipherment components for Key Usage
I hadn't realised that -I must have just used the default samples from that kb... The OU field is definately not necessary for cert generation, but apparently is important for SSO registration 