Hi Jon,
I had the same issue with my testing.
I had Active Directory Basic sync setup within UEM, so all the our domain users were syncing to WS ONE but when I selected the domain upon login it would always fail. I then edited the default policy in WS ONE so that all devices would authenticate using Airwatch auth first, then local directory as fall back. I was doing a lot of tweaking at the time, so there is a small chance something else I did resolved it but I am fairly sure this was the fix.
Regards, Leo