When running AdminUI, the application issued a JSESSIONID cookie that does not have the secure flag set.
 
The cookie appears to contain a session token, which may increase the risk associated with this issue.

Policy Server Version: Applicable to all the supported releases.
AdminUI Version:  Applicable to all the supported releases.

The Siteminder AdminUI is hosted on a JBOSS Wildfly application server.  The 'secure' and 'HTTPOnly' flags for the cookies set by JBOSS (e.g. JSESSIONID) (1) are controlled within the following file:

<administrative_ui_installation_path>\standalone\deployments\iam_siteminder.ear\user_console.war\WEB-INF\web.xml

1. Stop the Siteminder AdminUI.

2. Edit the following file:

<administrative_ui_installation_path>\standalone\deployments\iam_siteminder.ear\user_console.war\WEB-INF\web.xml

3. Locate the 'session-config' element. It will be similar to the following:

<session-config>
      <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
      </cookie-config>
    </session-config>

4. Add the 'secure' flag to the 'session-config' element;

<secure>true</secure>

5. Save the changes.

6. Start the Admin UI.