Running Identity Manager protected by CA Access Gateway (SPS) in front of it, when a user account is set to force password change at the next login, the browser doesn't get to the Password change page.

Instead, the browser receives the HTTP return code 400.

  Policy Server 12.8SP7 on Windows 2016;
  CA Access Gateway (SPS) 12.8SP7 on Windows 2016;  
  Identity Manager 14.3.0;

There's a known issue in the Policy Server which one duplicates the SMTOKEN when people try to change the password.

This is fixed in Policy Server 12.8SP8 with fix DE558539 (1).

From the CA Access Gateway (SPS) Agent traces:

The Policy Server response has a duplicated SMTOKEN:

  [03/12/2024][10:46:51][28980][139754164918016][][CSmHttpPlugin::ProcessResource][Resolved URL: '/iam/im/idm/'.]
  [03/12/2024][10:46:51][28980][139754164918016][][CSmHttpPlugin::ProcessResource][Resolved METHOD: 'GET'.]
  [03/12/2024][10:46:51][28980][139754164918016][][AuthenticateUser][User '<user>' is not authenticated by Policy Server.]
  [03/12/2024][10:46:51][28980][139754164918016][][CSmHttpPlugin::ProcessResponses][Executing redirect response: 'https://idm.example.com/iam/im/idmpub/index.jsp?task.tag=PasswordServices&SMENC=UTF-8&SMTOKEN=-SM-<value>&USERNAME=<user>&SMENC=UTF-8&SMTOKEN={RC2}<value>&SMAUTHREASON=20&SMAGENTNAME=-SM-<value>&TARGET=-SM-https%3A%2F%2Fidm.example.com%2Fiam%2Fim%2Fidm%2F']
  [03/12/2024][10:46:51][28980][139754164918016][][CSmHttpPlugin::ProcessResponses][Executing redirect response: 'https://idm.example.com/iam/im/idmpub/index.jsp?task.tag=PasswordServices&SMENC=UTF-8&SMTOKEN=-SM-<value>&USERNAME=<user>&SMENC=UTF-8&SMTOKEN={RC2}<value>&SMAUTHREASON=20&SMAGENTNAME=-SM-<value>&TARGET=-SM-https%3A%2F%2Fidm.example.com%2Fiam%2Fim%2Fidm%2F']

And when the CA Access Gateway (SPS) sends the Policy Server response data to the IdM, this one returns a 400 HTTP code:

  [03/12/2024][10:46:51][28980][139754164918016][][CSmHttpPlugin::ProcessResource][Resolved URL: '/iam/im/idmpub/index.jsp?task.tag=PasswordServices&SMENC=UTF-8&SMTOKEN=-SM-<value>&USERNAME=<user>&SMENC=UTF-8&SMTOKEN={RC2}<value>&SMAUTHREASON=20&SMAGENTNAME=-SM-<value>&TARGET=-SM-https%3A%2F%2Fidm.example.com%2Fiam%2Fim%2Fidm%2F'.]
  [03/12/2024][10:46:51][28980][139754164918016][][CSmHttpPlugin::ProcessResource][Autoauthorizing URL : 'https://idm.example.com/iam/im/idmpub/index.jsp?task.tag=PasswordServices&SMENC=UTF-8&SMTOKEN=-SM-<value>&USERNAME=<user>&SMENC=UTF-8&SMTOKEN={RC2}<value>&SMAUTHREASON=20&SMAGENTNAME=-SM-<value>&TARGET=-SM-https%3A%2F%2Fidm.example.com%2Fiam%2Fim%2Fidm%2F' , Method: 'GET' ]
  [03/12/2024][10:46:51][28980][139754164918016][][SmProxyRules.processRules][Dispatching to service FORWARD with url https://10.0.0.1:8443/iam/im/idmpub/index.jsp?task.tag=PasswordServices&SMENC=UTF-8&SMTOKEN=-SM-<value>&USERNAME=<user>&SMENC=UTF-8&SMTOKEN={RC2}<value>&SMAUTHREASON=20&SMAGENTNAME=-SM-<value>&TARGET=-SM-https%3A%2F%2Fidm.example.com%2Fiam%2Fim%2Fidm%2F]
  [03/12/2024][10:46:51][28980][139754164918016][][execute][Sending request to backend = 10.0.0.1:8443 url = https://10.0.0.1:8443/iam/im/idmpub/index.jsp?task.tag=PasswordServices&SMENC=UTF-8&SMTOKEN=-SM-<value>&USERNAME=<user>&SMENC=UTF-8&SMTOKEN={RC2}<value>&SMAUTHREASON=20&SMAGENTNAME=-SM-<value>&TARGET=-SM-https%3A%2F%2Fidm.example.com%2Fiam%2Fim%2Fidm%2F]
  [03/12/2024][10:46:51][28980][139754164918016][][requestConnection(): ][Get connection: {s}->https://10.0.0.1:8443, timeout = 0]
  [03/12/2024][10:46:51][28980][139754164918016][][execute][Response status code from backend webserver is 400]
  

Upgrade the Policy Server to 12.8SP8 to benefit from fix DE558539 (1).

Note that when upgrading Policy Server, also upgrade the AdminUI and the Policy Store definitions to 12.8SP8.

1. Defects Fixed in 12.8.08
   https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/release-notes/service-packs/defects-fixed-in-12-8-08.html