I finally figured it out. I had to modify the "User Source" of the "Provider Configuration" within the "Identity Providers" options of the:
In the general security options I had to change the "Designer Authenticaition Strategy" from "Classic" to "Identity Provider".
Now the OT Domain users can access both the Gateway (depending on the Role they can see Home, Status or Config" and also access the "Designer".
What is not clear to me is what would happen if the authentication against the AD fails? Supposedly I have configured the User Source "OT domain" to validate against the "default" (in which I have an admin user) in case of failure. I have set the failure mode to "Soft", but maybe it should be set to "Hard".
Thank you very much for your help!