It was observed that response code has changed from Siteminder Access Gateway r12.8.5 and higher versions.

Here is the example request and response status code for Siteminder Access Gateway r12.8.5 and higher versions

REQUEST: GET https://www.example.com/jwt_auth/Token.cfc?method=authenticate&[email protected]

RESPONSE: HTTP/1.1 200 200 

Server: Apache

-----------------------------------
REQUEST: GET https://www.example.com

RESPONSE: HTTP/1.1 302 302

Server: Apache

Location: https://www.example.com/arcotafm/login.jsp?TYPE=33554433&REALMOID=<value>&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-<value>&TARGET=-SM-https%3a%2f%2example%2scom

Here is the example request and response status code for Siteminder Access Gateway r12.8.4 and older versions.

REQUEST: GET https://www.example.com/trans/jwt_auth/Token.cfc?method=authenticate&[email protected]

RESPONSE: HTTP/1.1 200 OK

Server: Apache

-----------------------------------

REQUEST: GET https://www.example.com

RESPONSE: HTTP/1.1 302 Found

Server: Apache

Location: https://www.example.com/arcotafm/login.jsp?TYPE=33554433&REALMOID=<value>&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-<value>&TARGET=-SM-https%3a%2f%2example%2scom

==================================

Notice that in older versions, the r12.8.4 and older the Response Code and Response Phrase are sent, 

Response state in SiteMinder Access Gateway r12.8.4 and below versions is : "302 Found"

while in r12.8.5 and newer, the Response Code is simply sent twice.

Response state in SiteMinder Access Gateway r12.8.5 and above versions is : "302  302"

Release :  12.8.5 and higher

Component :  SITEMINDER SECURE PROXY SERVER

This is a result of the Tomcat Server on Access Gateway r12.8.5 and higher being upgraded to Tomcat 9.0.x.  The previous version of Tomcat bundled with Siteminder Access Gateway r12.8.4 and older was Tomcat 7.0.x.

Since the response is being sent by Apache Tomcat and not by the Siteminder Web Agent, Siteminder has no control over how Apache Tomcat interprets the RFC.

Processing the entire response status and phrase rather than just the response status code is not considered 'best practices'.  Please refer to RFC 7230 Section 9.3:

-----------------------------
[RFC7230 9.3]

"Recipients ought to carefully limit the extent to which they process other protocol elements, including (but not limited to) request methods, response status phrases, header field-names, numeric values, and body chunks.  Failure to limit such processing can result in buffer overflows, arithmetic overflows, or increased vulnerability to denial-of-service attacks."
-----------------------------

If you have a third party application processing HTTP Responses, process the response code and avoid processing the response phrase and change the it accordingly.

https://datatracker.ietf.org/doc/rfc7230/