Support tested to validate the SSO response can be tied to RULE, OnAccept rule (AU), OnAccess rule (AZ)
AdminUI (SSO) configured 3 LDAP attributes included them in a response group (APIM-GRP). Example User Attribute response: MyTelephoneNumber=<%userattr="TelephoneNumber"%> (LDAP attribute name = TelephoneNumber)
Details Response configuration:
<Please see attached file for image>

Grouping of all the responses (optional)
<Please see attached file for image>

AdminUI (SSO) policy create a RULE (NOTE it must be the same resource and agentname used during the CA Single Sign-On Check Protected Resource assertion)
SSO REALM/RULE protected resource /validate1 with agentname apim-gw_agent-devcloud
<Please see attached file for image>

Responses tied to the RULE
<Please see attached file for image>

APIM Policy Manager configure IsProtect using same resource and agentname
<Please see attached file for image>

In the policy Set Context variable as followed:
${siteminder.smcontext.attributes.mobile}
${siteminder.smcontext.attributes.HomePhone}
${siteminder.smcontext.attributes.TELEPHONENUMBER}
Example:
Template Response Properties:
Customer ATTR:
Rule-User LDAP Object TelePhoneNumber#: ${TelephoneNumber-rule}
OnAccept-User LDAP Object HomePhone#: ${HomePhone-au}
OnAccess-User LDAP Object Mobile#: ${mobile-az}
Results:
Customer ATTR:
Rule-User LDAP Object TelePhoneNumber#: 508-898-7570, 978-898-7050
OnAccept-User LDAP Object HomePhone#: 555-5551
OnAccess-User LDAP Object Mobile#: 888-898-0570