When running CA Access Gateway (SPS), how to configure a resource protection with Multi Factor Authentication (MFA) which involves a fallback to another Multi Factor Authentication?

At first glance, SiteMinder is limited to offer Fall back authentication for Windows to HTML Form and Kerberos to HTML Form as per documentation, without MFA (1)(2).

There's a Certificate or HTML Form (This isn't a fallback, but a choice offered to the user, when there's no certificate presented) (3)(4) .

To have MFA availability, use VIP Authentication Hub (5)(6).

To get more flexibility about the login phase, take a look at the VIP Authentication Hub, as per some use cases given by the documentation (7).

VIP Authentication Hub integrates with SiteMinder using the MFA Chain Authentication Scheme, that allows to use the NTLM/Kerberos with fallback to HTML Form AND keep the MFA (8).

VIP Authentication Hub brings the risks functionalities as per Advanced Authentation module. Note that the VIP Authentication Hub is a standalone application (9).

1. Configure IWA Fallback to Forms Using Authentication Chain
   https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/authentication-schemes/authentication-chaining/configure-iwa-fallback-to-forms-using-authentication-chain.html 
2. Configure Kerberos Fallback to Forms Using Authentication Chain
   https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/authentication-schemes/authentication-chaining/configure-kerberos-fallback-to-forms-using-authentication-chain.html 
3. X.509 Certificate or Basic Authentication Schemes
   https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/authentication-schemes/x-509-certificate-or-basic-authentication-schemes.html 
4. X.509 Client Certificate or HTML Forms Authentication Schemes
   https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/authentication-schemes/x-509-client-certificate-or-html-forms-authentication-schemes.html 
5. VIP Authentication Hub Authentication Scheme
   https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/authentication-schemes/vip-authentication-hub-authentication-scheme.html 
6. About VIP Authentication Hub
   https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/vip-authentication-hub/2-1/Getting-Started.html 
7. Understanding the Demo Use Cases
   https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/vip-authentication-hub/2-1/VIP-Authentication-Hub-Demo-Environment/policy-use-cases.html 
8. Multi Factor Authentication Chain Authentication Scheme
   https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/authentication-schemes/multi-factor-authentication-chain-authentication-scheme.html 
9. Managing Risk
   https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/vip-authentication-hub/2-1/Using/Management-APIs/vip-auth-hub-risk-engine/risk-management.html