If you're using the CA API Gateway, then that would be your Authorization Server using the OAuth Toolkit I would imagine.
CA API Management OAuth Toolkit - Home - CA API Management OAuth Toolkit - 4.2 - CA Technologies Documentation
And then offload the authentication event itself from API GW -> CA SSO by customizing the log in flow.
Support Optional Authentication Mechanisms - CA API Management OAuth Toolkit - 4.2 - CA Technologies Documentation
CA SSO itself, without the API GW, supports OIDC Provider with 12.7. But doesn't have the same fuller feature set of OAuth 2.0 support that API GW has so far as I've seen (but easier to setup and manage if all you need is OIDC primarily and optionally some static scopes ).
Edit: Well it was moved from the API Community so my response above doesn't make as much sense! Assumed it was API GW related since it was there lol.
=======
For CA SSO you need 12.7 and Access Gateway. The instructions at Docops pretty much spell it all out pretty well to support OIDC Provider.
Use CA Single Sign-On as OpenID Connect Provider - CA Single Sign-On - 12.7 - CA Technologies Documentation
If that's all you need, it's actually pretty painless to get rolling with it by setting up the secure redirect.jsp realm, create the OAuth Provider and register some clients.