If Cookie Provider agent has FCCCompatMode set to yes (requires by Advanced Authentication), SSO does not work.
From the Vulnerability Report:
Customer applications share some of the same authentication cookies (e.g. SMSESSION), this reflected XSS could allow an attacker to retrieve cookies scoped to the parent domain (i.e. .example.com), which are used by other Customer applications. This increase in scope raised the impact of the issue to high.
Release : 9.1
Symantec Strong Authentication
Policy Server 12.8SP4, 12.8SP5
WebServer Apache httpd 2.4.55
FccCompatMode should be set to YES for AA and SSO integration to work.
Advanced Auth and Siteminder teams worked on this and found a resolution to this limitation and now Siteminder AA flows work fine with FCCCompatMode=No.
We tested the below fcc configuration changes (in siteminder 12.8 sp4,ca-wa-12.52-sp01-cr11 and AA environment )and enrolment and authentication flow worked fine with FCCCompatMode=No.
Please follow the below suggestion to make the product work when ACO object FCCCompatMode=No is set.
To configure CA Advanced Authentication and CA Single Sign On (CA SSO) default flows with FCCCompatMode=No, edit FCC files and add the @smpasswordfcc=1 directive in the following FCC files:
SSO tech doc for reference is here.
The fcc files are attached to this KB for a reference as well.