It seems to suggest that root suffix for my deployment should look like "ou=openam-cts,o=xx.xx.sg". (RED arrow). However, during testing, I found out that sessions are created right under "ou=openam-cts,o=xx.xx.sg, and not the desired "ou=famrecords,ou=openam-session,ou=tokens,dc=openam-cts,o=xx.xx.sg".
The actual format for root suffix should be "ou=famrecords,ou=openam-session,ou=tokens,[your organization]".
This will create the OpenAM sessions nicely under ou=famrecords.