When the OIDC application was changed from Public/Enable PKCE and then to Confidential/POST the "Enable PKCE" was not unchecked. Leaving the "Enable PKCE" in the data store still set to true. Since Enable PKCE was not a feature for Confidential/POST, Enable PKCE setting was bypassed. Not actually enabled.

After upgrade and Enable PKCE became a new feature for Confidential/POST, the Enable PKCE setting is now no longer bypassed.

If it was set to True for Public and not unchecked when changed to Confidential/POST, Enable PKCE is now checked and enabled for Confidential/POST.

After SiteMinder upgrade some applications reported the error "error=invalid_request&error_description=code+challenge+is+required" when the box for Enable PKCE new feature for Confidential/POST became checked.

Policy Server: 12.8.7

Because the underlying policy-store PKCE switch is common for both Pulic and Confidential. Since it is not feature in the past 12.8.3 for Confidential with PKCE it never triggered.

It is recommended to manually make sure you un-check the PKCE before moving to Confidential in the old environments so that you don't run into issue.