On the problem workstations, create or edit the following registry value under HKLM\SOFTWARE\Protocom\SecureLogin
ForceHKLMAndNoDPAPI (DWORD) set to 1
This setting changes the NSL encryption, especially as used for Windows roaming profiles. Specifically, it changes the way SecureLogin creates the unique user key that encrypts SecureLogin data. If this registry key is NOT set, the Microsoft DPAPI is used to generate a unique user key that is used to encrypt user credentials in the directory. This is the default mode.
This registry key is used when the MS DPAPI is not able to be accessed, and provides an alternate method of generating the unique user key. Deployments using standard MS profiles do not use this key. However, if you are using roaming, mandatory or temporary profiles, the DPAPI option does not work due to limitations in the Microsoft API (the MS DPAPI does not make itself available to these types of profiles). Creating this key allows those profiles to be handled correctly.