When running AdminUI, JSESSIONID cookie was issued by the application and does not have the secure flag set.
 
The cookie appears to contain a session token, which may increase the risk associated with this issue.

Policy Server Version: 12.8 SP6a on Linux x86_64;
AdminUI (WAM UI) 12.8SP6a on Linux x86_64.

The Siteminder AdminUI is hosted on a JBOSS Wildfly appplication server.  The 'secure' and 'HTTPOnly' flags for the cookies set by JBOSS (e.g. JSESSIONID) (1) are controlled within the following file:

<administrative_ui_installation_path>\standalone\deployments\iam_siteminder.ear\user_console.war\WEB-INF\web.xml

1. Stop the Siteminder AdminUI;
2. Edit the following file:
   
   <administrative_ui_installation_path>\standalone\deployments\iam_siteminder.ear\user_console.war\WEB-INF\web.xml
   
   
3. Locate the 'session-config' element. It will be similar to the following: 
   
   <session-config>
         <cookie-config>
           <http-only>true</http-only>
           <secure>true</secure>
         </cookie-config>
       </session-config>
4. Add the 'secure' flag to the 'session-config' element;
   
   <secure>true</secure>
   
   
5. Save the changes;
6. Start the Admin UI.

1. Admin ui JSESSIONID Cookie is Not Marked as Secure