smsession cookie attribute SAMESITE was set as "strict".
search cancel

smsession cookie attribute SAMESITE was set as "strict".


Article ID: 240929


Updated On:


SITEMINDER CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)


In a single sign-on setup, there are multiple regular web agents involved.

When login to one application, noticed smsession cookie was setting SAMESITE as "strict". 

Once that happens, then user could not SSO into other report application, user gets authentication login prompt.

Customer thinks this is the cause of single sign-on failure.

Even though we have verified both side standard agents do not have SAMESITE feature enabled.

And the two applications are in the same cookie domain.


Release : 12.8.05



During troubleshooting, turning on SAMESITE feature on ACO, and deliberately set it to none, has no effect on the SAMESITE result value.

In browser testing, still noticed smsession cookie was setting SAMESITE as "strict" almost instantly.


Customer failed to disclose that one of the agent is integrated with layer 7 API gateway.
The culprit for SAMESITE="strict" is layer 7 API agent configuration.
It has the capability to set SAMESITE "strict" on the fly,  it can also alter ACO UseHTTPOnlyCookies parameter to yes.
However, after corrected SAMESITE configuration on layer 7 API agent side, the issue was not resolved. We also disabled regular agent ACO for SAMESITE.
smsession cookie attribute SAMESITE did not cause the single sign-on failure.
The true cause is that regular agent will NOT accept (SDK) custom agent's cookie, unless ACO AcceptTPCookie is set to Yes on the regular agent.
Layer 7 API gateway is considered a custom agent.
In the end, Setting ACO AcceptTPCookie=Yes on the regular agent resolved the issue.