The normal sequence of events for Basic UN/PW Authentication is actually two requests and responses if using a browser :
step1:
client - (sends request) -> server
client <-- 401 response) - server
The browser/client can then response to the 401 (unauthorized) response. Usually it will pop ap a dialog box for the user to enter a UN/PW and then send a new request passing the original request and the IN?PW credentials : eg for Basic UN/PW :
step2:
client -- (re-send request this time with Authenticate header) -> server
client <-- (200 response page) -- server
This two step process is often not convenient for webservice calls, so with webservices often a shortcut is used where pre-emptivly the Authenticate; header is sent with the first request.
step1:
client -- (send request this time with Authenticate header) -> server
client <-- (200 response page) -- server
For the CA SSO Access Gateway (formerly Secure Proxy Server). When doing the browser two step process, the SSO Access Gateway on the first step, sets a cookie SMCHALLENGE=YES which then expects to see in the 2nd request - in addition to the Authenticate header.
The CA SSO Access Gateway (formerly Secure Proxy Server) can do the shortened one step preemptive Basic authentication - but in additon to sending the Authenticate: header the cookie : SMCHALLENGE=YES. also needs to be sent.
(The SMCHALLENGE cookie was introduced to CA SSO to stop some cases where failed Auth/Az would result in endless 302 redirect loop )