There is a defect with the dynamic key rollover mechanism, which can sometimes result in two rollovers instead of one in certain cases. These two rollovers can be between a few minutes and up to 30 mins apart (there is a random element involved, I believe for historic reasons when it was allowed and possible for multiple Policy Server to act as key generators, but never mind that...)

Product Release: 12.8.x

When Siteminder Policy Server misses the schedule of Dynamic Agent Key Rollover(In case the server was down during that time).

When comes back online rolls over the Agent Keys twice. Siteminder WebAgents are not affected by these multiple key rollovers that happen in a short period of time(around 30 minutes of gap), since they are getting the keys regularly. The customer however, is using custom agents, and it could be that these agents' code is missing these checks. In addition, the customer did not have all the Policy Servers in their environment configured correctly (one key generator and all others subscribed to key updates). This resulted in the two rollovers messing up the agents functionality and caused a disruption in their service.

Upgrade Policy Server to 12.8SP8 when this one will be available to benefit from fix on DE548826.

Defect fixes in the service packs, in this case 12.8 SP8, can be verified from the below link once it is GA,

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/release-notes/service-packs.html