/api/refresh-tokens always returns parent org token despite orgRef breaks SSO login tokens

We're running Yellowfin 9.17 (PostgreSQL) with multi-tenant SSO. After rebuilding our production EC2 from an AMI snapshot, our SSO flow broke. We use the REST API to generate login tokens for embedded dashboards.

The flow:

1. POST /api/refresh-tokens with orgRef="10044" (our client org's customer ID)
2. POST /api/access-tokens using the refresh token
3. POST /api/login-tokens to log the end user into the dashboard

The problem: Step 1 always returns a refresh token stored with iporg=1 (parent org) regardless of the orgRef passed. The resulting access token always has "client":"1". Step 3 then fails with COULD_NOT_AUTHENTICATE_USER — we believe because /api/login-tokens requires the access token to be scoped to the client org.

What we found: In our production YF database, the system admin user (ipperson=5) has rltshptypecode=STAFFMEMBER in iprltshp for ipparent=1. On our staging instance, the same admin has rltshptypecode=MEMBER for ipparent=1, and /api/refresh-tokens correctly generates client-org-scoped tokens (iporg=client org). Staging SSO works perfectly.

What we tried: Manually changing the production iprltshp record from STAFFMEMBER to MEMBER causes INVALID_CREDENTIALS on /api/refresh-tokens even after restarting Yellowfin. We cannot authenticate at all with MEMBER set.

Questions:

1. What controls whether /api/refresh-tokens scopes the token to the client org vs parent org when orgRef is specified?
2. How does the STAFFMEMBER→MEMBER transition for the system admin normally happen? On staging it happened automatically when a client org was first provisioned via the YF admin UI.
3. Is there a supported way to trigger this transition, or a configuration setting that controls this behavior?
4. Why does MEMBER break admin authentication on one instance but not another when the ipclass records are identical?

Any help appreciated — our production SSO has been down for 3 days.