Does anyone have experience trying to develop a company-specific security configuration baseline for SaaS platforms?  Is there any such thing as an industry standard benchmark (similar to CIS) for SaaS that could be used as a starting point?  Or, would recommendations from the SaaS vendor itself or an SSPM tool vendor (like AppOmni) be the best place to start?

I agree with insights shared from Sven. The OSA all controls catalog is a good place to evolve. As SaaS applications have various different configurations as well as SaaS brings a unique threat in 3rd party SaaS-to-SaaS integrations, a SaaS Event Maturity Matrix (EMM) https://eventmaturitymatrix.com/ from AppOmni is also a good place to refer for baseline. 

Common benchmarks are often about redeployable or reusable services. In a cloud context, that's often for IaaS and PaaS areas, and less for SaaS. Of course, there might be CIS benchmarks for SaaS when it is a very popular one with lots of nobbles and switches - after all, it is also community-driven development there. But for most of the services and technologies that our company comes in contact with, there are no CIS benchmarks available.

If you look at the purpose of secure configuration baselines, it is to make sure that a service is configured as secure as possible to the best of your knowledge. Preferably, you also document how you would validate that the secure configuration is still in place, have a process for managing deviations/exceptions, and perhaps even some automation to enforce it.

The source material to use for a secure configuration baseline is what defined "to the best of your knowledge". Using independent benchmarks drafted by several people gives a higher assurance that it covers as much as possible, which is why CIS is a popular resource to take. But CIS is not the sole resource to use, as otherwise you get people blindly stating "there is no CIS benchmark so we do not need to draft a secure configuration baseline". Because of that, our organization also refers to a more generic resource that you can use, the 13-05 All Controls (opensecurityarchitecture.org) control catalog. While this is not specific to a service (it is a high level description) you can derive practices for SaaS the moment you have a better understanding of what configurations your SaaS supports.

Alongside OSA, of course, use the security practices referenced by the vendor itself. While those are often not as expansive as CIS, ignoring them would again loosen the interpretation of "to the best of your knowledge".

Personally, I also like to do a search on community forums searching for terms like "configure", "customize", "secure". Occasionally, it gives information on how to address something you didn't think of yet.

I also recommend that you draft your secure configuration baseline in a structured manner, not blindly following the source material structure (as then adding additional rules later on might feel forced) but one that seems to fit your organization more. For each rule, document the source material(s) used, what threat(s) it tries to cover, how vital the configuration item is (low/medium/high - this can help in your governance for deviations), and how to check it. Allow the baseline to be updated when you get requests for deviations: you might want to document then how to implement deviations, where these deviations should be governed, how to track deviations (i.e. who requested them when for which purpose), etc.