VPN Login page was implemented with Radius Authentication , with radius server sending back Accept or Reject(by authenticating AD and OTP), let's take the time taken to do 1 authentication be T1.
However, in order to let users key in the 2nd field on OTP page, we split the password and OTP from a single field to two fields, this time SA 4500 authenticates the AD, then Radius. The time taken for 1 authentication T2 is much longer than T1.
Is your AD connection via the AD/NT server instance or LDAP? If the former, please move to the latter and confirm login is much quicker. If you are using one of the very few (1-2) instances in which LDAP is not easily feasible, if you are currently doing group membership, can you switch to username for role mapping?