When SSO is configured in the Operations Center (CJOC) the login process happens against the CJOC unless it is down. On this case, there is an offline fallback mechanism which allows users to continue loging into the instance through the controllers. This fallback mechanism will only work in case the authentication plugin used in CJOC is also installed in the same version in the controllers.
In case you selected SSO in the CJOC there is no cache in the controllers as the auth is done on CJOC - cache is only done in CJOC, so caching will only start on the controllers once CJOC is dead and controller uses the fallback. When the fallback happens, the controllers will connect to the LDAP server as a fallback and then it will cache these responses in the LDAP lookup. When CJOC comes back it will no longer query the ldap server.
The size and TTL of cache depends on how it is configured in the LDAP plugin configuration under Manage Jenkins -> Configure Global Security