Depending on their server software, customers can set directives in their site configuration or Web.config files.
The vulnerability is not typically caused by Siteminder, rather it usually refers to IIS, Apache, other web servers, etc. If there is a specific Siteminder component being implicated please let us know the details. Otherwise, your web server team should address the vulnerability independent of Siteminder/SSO. There are many web articles explaining how to remediate this vulnerability if you search for "HTTP Security Header Not Detected."