When running CA Access Gateway (SPS) as OAuth client, the SPS Agent gets the correct value of the Client-IP, but the Java OAuth Service doesn't seem to get it.

So, the session gets created with the Load Balancer IP instead of the Browser IP.

Enable the CA Access Gateway (SPS) to pass the value of X-Forwarded-For to the java processing on the CA Access Gateway (SPS), Tomcat (mod_jk), follow the steps from the documentation (1).

    Navigate to the following path o the machine where Access Gateway is installed:

    accessgateway_installation\CA\secure-proxy\httpd\conf

    Open the httpd.conf file and make the following changes:

        Uncomment the following entry:

         LoadModule setenvif_module modules/mod_setenvif.so

        Add the following entry below the entry you uncommented in Step

         SetEnvIfNoCase X-Forwarded-For (.+) JK_REMOTE_ADDR=$1

1. Log Client IP in Logs
   https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/partnership-federation/single-sign-on-to-office-365.html