Explicitly logging out the token to avoid leaving it in a non-stable state.
Just calling session.close() will, sometimes, leave the TPM in an inconsistent state which will cause it to generate a bad RSA key, despite reporting key generation successful. Further use of the key will generate incorrect signatures.
Problem does not reproduce all the time, and the likelihood of happening appears to vary depending on the hardware used (Cr-48 > AGZ > L13). Calling session.logout() before session.close() fixes the issue.
TEST=enroll a certificate and successfully connect to Google-A on Cr-48 device.