When running CA Access Gateway (SPS) as an OIDC provider, when testing using "Postman Web App", the Auth code can be seen, and when this tool tries to get the Access Token with Token Endpoint, the application reports an error:

    Request Body
    grant_type: "authorization_code"
    code: "OGU2NmM0MzktOTA*****************************************************ZnZQWT0="
    redirect_uri: "https://oauth.psexample.io/v1/browser-callback"
    client_id: "mobileAPP_AP"
    Error: CORS request rejected: https://sps.example.com/affwebservices/CASSO/oidc/Client/token

  CA Access Gateway (SPS) 12.8SP6 on Windows 2016;
    AdoptOpenJDK 11.0.16.8;

The SPS traces show:

    Resolving service to handle OIDC CORS Preflight Request, for URI: /affwebservices/CASSO/oidc/Client/token]

From the documentation, the CORSConfiguration ACO parameter should be configured (1). The browser (when accessing Postman) requests CORS parameters (2).

Configure the ACO CORSConfiguration in order to SPS to return the headers that Postman app needs.

(1)

    Cross-Origin Resource Sharing (CORS) Support for OIDC Endpoints

      If CORS is enabled for Authentication URL, SiteMinder verifies
      whether the Origin header is allowed per the CORSConfiguration ACO
      parameter configuration. If the Origin header is not allowed, CORS
      process flow ends. If the Origin header is allowed, SiteMinder
      validates the other configured ACO parameters, and then
      authenticates the user, adds CORS response to the authentication
      response, and redirects to Authorization Endpoint.

(2)

    Sec-Fetch-Mode