User is accessing protected resource, logging out, hitting browser's back button and receiving the protected resource again.  From this point, user can navigate to protected resources that were not accessed prior to the logout, so it seems as though the logout was not successful.
 

Release : 12.52

Component : SITEMINDER -WEB AGENT FOR APACHE

Two factors were in play here.  The logout was successfully invalidating the user's session cookie, but upon clicking the back button, the IE browser was loading the page from its cache with no new requests hitting the agent or web server.  When accessing new protected resources from this point, however, the IE browser was presenting a valid session cookie that had never been set by the web agent during the session.  This cookie is likely coming from some customization the customer has in place that leverages the Auth/Az Web Service and thus can obtain a session cookie without the web agent involvement.

The issue could not be reproduced after clearing IE cache and restarting. IE will always display the content upon hitting the back button because the page is in the IE memory cache at that point. There is no way to refresh the page (pull new data from the server) without re-authenticating or a valid session cookie otherwise being inserted into the browser.

If session replay after logout is a concern, use persistent sessions.  With persistent sessions, the session information is stored centrally in the session store so that when a user logs out, the session is removed from the session store such that even if a user presents a 'valid' session cookie from before the logout, the policy server will see no matching session in the session store and the user will not be considered authenticated.