Customer has a realm with 12 hour maximum session timeout and 1 hour idle timeout. 

Users are able to log in successfully, however, their session is expiring after only one hour despite them being active in the application the entire time. 

The agent trace log shows requests being received from the users throughout the hour, and even shows the session cookie being updated multiple times. 

When the session expires unexpectedly, the following message is seen in the agent trace log:

SMSESSION cookie has expired and will not be used to authenticate.

Release : 12.8

Access Gateway's Federation Gateway was setting cookies for .example.com while the Apache web agent protecting the application was setting cookies for xyz.example.com.  

Thus, upon SAML authentication, the user was getting a SMESSION cookie for .example.com. Upon landing in the target application the user was getting a SMSESSION cookie for .xyz.example.com. Since all of the requests during the session were going to the application web agent, all session cookie updates during the session were for .xyz.example.com.

When the browser has multiple cookies of the same name that are both valid for the request domain, it's not possible to predict which one the web server will receive (for security reasons the web agent does not log the session cookie value it receives with requests; browser traces show the browser presenting both cookies on each request).  

In this case the application web agent was receiving the .example.com session cookie with every request, but was responding with a .xyz.example.com session cookie every time the session cookie was refreshed, so even though the user was active in the application throughout the session, the session cookie that the user was effectively presenting for authentication was never updated and thus Siteminder saw the session as idle and logged the user out when the idle timeout was reached.

Setting CookieDomain=.example.com on both Access Gateway and the application agent resolved the issue.  

This assured that the user would have only one session cookie for the application after SAML authentication and thus the session would be updated whenever the user was active in the application.