I can't find it so quickly, but I think there's a restriction that you can't revoke sso_role if this is the only login left having the sso_role granted (but I've never tested that scenario myself)
If all logins with sso_role are locked out, you can restart your server with extra options to list all the logins with system roles granted (-A systemrole or --role-logins), and with other option ( -p login ) you can reset and unlock a login with system roles.
Why this behavior was changed I don't know.
Personally I prefer the way it works on 15.7