The OpenID (OIDC) transaction complains about an illegal character and throwing a 500 http code to the browser.

The incoming query string contains a + character, which seems to be being replaced with a space. It is complaining about this and throwing an exception.

In this particular case, it was the OIDC 'state' value that contained the + character being not URL-encoded.

Policy Server 12.8SP5
CA Access Gateway (SPS) 12.8SP5

The OIDC state parameter value contained a + character which needs to be URL-encoded before being included in a query string.

Use Base64url encoding of OIDC state values to avoid any characters that require URL-encoding.

Merely URL-encoding the state value may not work since some browsers will decode the encoded portion of the query string before submitting it back to the server.

Since the state value is used for exact comparisons, a state value that has been URL-decoded will not match the encoded value and cause the request to fail, thus Base64url encoding is recommended.