Thank you for your question!
In the vast majority of SAML apps, Okta does not pass or handle certs for login flows, whether IdP or SP initiated, because we don't validate the signature on the inbound SAML request. We simply grab the request ID of it.
I can confirm that there are some apps that require encryption for the message coming back to us. In that scenario, Okta would need to upload a cert provided by the SP, and does have the capability to do so.
If you have additional questions or need further clarification, I would recommend opening a ticket with Okta Support.
Justin M. Bergez
Technical Support Engineer - Tier 2