When running a Policy Server, when the user performs a complete logout, if the SMSESSION is reinjected in the browser, the browser can still access the protected resource without being redirected to the login page.

  Policy Server 12.8SP6a;
  Session Store on MSSQL 
  Web Agent 12.52SP1 on Apache 2.4;

Looking at Apache configuration, the Apache instance wasn't configured to run the Web Agent, so the logoff URI cannot be processed.

Installing and configuring the Web Agent solved the issue. Now the Authentication and Logout via the Web Agent is working correctly and indeed the cookie gets invalidated and the session canceled from the Session Store.