If possible, make sure that you have the latest version of Azure AD Connect installed. (Older versions require an outbound connection to port 9090, and not having that connection can through this error.)
If you are using an older version of Azure AD Connect, make sure that the outbound TCP port 9090 is allowed on the on-premises firewall and the URL of the service endpoint (*.register.msappproxy.net) is allowed on the on-premises proxy server.
If the TCP port 9090 is blocked for outbound traffic on the on-premises firewall or the URL is blocked on the on-premises proxy server, you are likely to see the error, "Cannot retrieve single sign-on status."
If you are also getting an "invalid user name or password" error in the trace logs, you may need to disable security defaults and disable MFA altogether for the tenant altogether since that can affect the SSO.
Lastly, please check that SSO is enabled in the tenant itself.
https://stackoverflow.com/questions/42024262/azure-ad-connect-single-sign-on-error-with-setup