If Cookie Provider agent has FCCCompatMode set to yes (requires by Advanced Authentication), SSO does not work.
From the Vulnerability Report:
Customer applications share some of the same authentication cookies (e.g. SMSESSION), this reflected XSS could allow an attacker to retrieve cookies scoped to the parent domain (i.e. .example.com), which are used by other Customer applications. This increase in scope raised the impact of the issue to high.
Release : 9.1
Symantec Strong Authentication
Policy Server 12.8SP4, 12.8SP5
WebAgent 12.52sp01cr11
WebServer Apache httpd 2.4.55
FccCompatMode should be set to YES for AA and SSO integration to work.
Advanced Auth and Siteminder teams worked on this and found a resolution to this limitation and now Siteminder AA flows work fine with FCCCompatMode=No.
We tested the below fcc configuration changes (in siteminder 12.8 sp4,ca-wa-12.52-sp01-cr11 and AA environment )and enrolment and authentication flow worked fine with FCCCompatMode=No.
Please follow the below suggestion to make the product work when ACO object FCCCompatMode=No is set.
To configure CA Advanced Authentication and CA Single Sign On (CA SSO) default flows with FCCCompatMode=No, edit FCC files and add the @smpasswordfcc=1 directive in the following FCC files:
Shim.fcc
Shim2.fcc
Shimfinal.fcc
Shimfinal2.fcc
SSO tech doc for reference is here.
The fcc files are attached to this KB for a reference as well.