Here is the official answer from Microsoft:
Site collection creation fails with access denied error when the master site directory site collection is located on a web application which is using the new claims aware authentication method.
Cause for Rejection and Technical Explanation
The Microsoft Office team has reevaluated this bug and unfortunately our initial decision still holds. We realize that this causes a lot of inconvenience but the code change required is extremely large and introducing a change can leave behind a huge and unexpected bug trail.
The site directory feature has been deprecated in SharePoint 2010.
Site Directory provided site collection admins a central location where they can pin bunch of URLs with categories. Users could then browse through categories, view and access all URLs/sites associated with the site collection. In SharePoint 2010, social tagging provided a much richer way to categorize URLs, and we provided tag cloud web part for navigation. To avoid having two similar solutions, site directory was deprecated.
Please know we carefully review all Hotfix request because each code change that we implement must maintain or improve the quality and stability of the product. We strive for this to ensure the continuing integrity of the code base and to maintain a supportable product. While we recognize the impact that this issue is having on you, we cannot compromise the stability of the product’s code base using the Hotfix process.
1. Ensure that the master site directory site collection is located on a web application which is using classic windows authentication.
2. Disable master site directory setting and explore the capabilities of the new social tagging feature to categorize sites. Learn more about this new feature at ”Social tagging overview (SharePoint Server 2010)” http://technet.microsoft.com/en-us/library/ff608137.aspx