I have found some configuration parameters which might affect the length, but nothing that really defines it. I have found some that are 94 characters and some that are 107.
TIA
It would be best to not rely on the length of the SSO token.
Future releases of OpenAM may change the token encoding (using a JWT, for example). You will want to make generous allowances for this.