If have Identity Manager configured to be integrated with SiteMinder with a cluster of policy servers, you may encounter a situation where you get redirected to the password services URL for IM to change a password for Password Must Change flag or a Forgotten Password task and after submitting your change, you get logged out of the system and see the following error in the Identity Manager log:

Unable to determine user from SiteMinder token: No items found

Identity Manager 12.x and 14.x
SiteMinder Policy Server 12.x

IM uses the SMTOKEN value in the URL header to validate the user that is the subject of the password change. In a SiteMinder cluster, some network delays may cause the SMTOKEN to be invalid by the time it is validated on a different node than the initial policy server that issued the token.

To resolve this, modify the /iam_im.ear/policy-server.rar/META-INF/ra.xml to only validate the original request to the password services URL by changing the following setting to false:

fig-property>
            <config-property-name>ValidateSMHeadersWithPS</config-property-name>
            <config-property-type>java.lang.String</config-property-type>
            <config-property-value>false</config-property-value>

Restart the IAM service after saving this change. This should resolve the token resolution moving forward.