That helps, so something in the CHKP configuration that needs to be tweaked. To be sure the CHKP-Okta piece works, you can always set RADIUS as the auth method in the user object where the user also exists in Okta. Not scalable, but some times nice to see something works 😉
To simplify things you may want to ignore RADIUS user group part of the Okta docs and check your External User Profile settings.
.............
6. Navigate to SECURITY POLICIES and select Access Control. This displays Access Tools VPN Communities. Click on VPN Communities. Double click to open the RemoteAccess community and add the gateway object.
7. Click Participant User Groups and accept the default All Users.
8. Click OK to save the settings.
9. The option to create an External User Profile (generic*) is only available using the legacy SmartConsole Client. To launch legacy SmartDashboard go under "Manage & Settings" and select the "Configure in SmartDashboard" for the Mobile Access option
10. In the lower left corner click on the Users object. Right click on External User profile and select New External User profile -> Match all users.
11. Click Authentication and select RADIIUS as the authentication scheme. Select the RADIUS server configured above, for example MyRADIUS.