Re-cap:
I reviewed this documentation:
- "Configure Windows AD Authentication for Business Object Enterprise XI 3.1", by Hemant Kumar, March 2011
- Configuring Vintela SSO in Distributed Environments - Complete Guide (your most recent recommendation)
I reviewed all server and CMC settings for our test machine (which works for AD) and our Prod machine. Everything looks good, except Prod is not working 
(test works fine).
My conclusion is there is something wrong with the AD group, but I am not sure how to troubleshoot this.
Here are the following tests I've run:
setspn -l works for both test and prod
kinit works for both test and prod
on the test machine, I can log on to to the BO server as myself, but am unable to do so on Prod
then on CMC, I cannot enter the Mapped AD Member group
