Hi Team,

Access token generated by one application is working in another application User Info endpoint if we pass that access token to get the claims. 

Example:

We are generating the access token with the token end point https://domain.com/affwebservices/CASSO/oidc/baymax/token (This is abc application token endpoint) and we are passing this access token (Generated by xyz application) to another application user info endpoint https://domain.com/affwebservices/CASSO/oidc/payments/userinfo (This is payments application user info endpoint) is giving the Claims of Payments application. 

Is this expected behavior in CA siteminder ? Is there any settings to restrict it ?

Note: Same scenario happening in all the environments including production. 

Release : 12.8

Component : SITEMINDER -POLICY SERVER

This is expected behavior. There are no settings to restrict it as of now.