Hi,
I think your environment is IDP Initiated SSO. It is default in CA PPM SaaS.
It has 2 access path as following.
1. IDP(ID Provider) --> SP(Service provider: CA ondemand portal) --> PPM
2. SP(Service provider: CA ondemand portal) --> PPM
If SAML-Only is enabled for users, second path (2. SP-->PPM) will not be available anymore.
Only first path (1. IDP--> SP -->PPM) is available, so users have to access PPM via IDP.
Tenant admin is not configured as SAML-Only, so Tenant admin is allowed to access PPM by using above 2 paths.
I don't know the details of your requirement and following my idea may not be fit your requirement.
------------------
In SP Initiated SSO environment, users have to access SP first.
SP will communicate with IDP for authentication. It means that user always access PPM via CA ondemand portal.
I think that IDP Initiated SSO is default in CA PPM SaaS, and SP Initiated SSO may have any limitation.
Thank you.