Running VIP Authentication Hub integrated with SiteMinder, after the browser gets the login page and posted credentials, the request to the VIP Authentication Hub resource set twice the header Access-Control-Allow-Origin, one value set to *, and the other to null. VIP Authentication Hub tenant has '*' as the allowed origins.

As CORS is security functionality, the use of * as value of Access-Control-Allow-Origin is not recommended. Use 1 or multiple FQDN's as per documentation (1):
  
    To set the CORS setting, update the "allowedOrigins" property
    (accepts a comma-separated list of URLs) available in "tenant"
    settings with the required and valid http/https URLs.

Further, XMLHttpRequest (XHR) isn't supported in VIP Authentication Hub.

XMLHttpRequest (XHR) will not be able to render a login interface.

The flow to use with VIP Authentication Hub is an HTTP Post, with a Form, and not an XMLHttpRequest (XHR).

1. Managing Applications 
   https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/vip-authentication-hub/3-1/Using/Management-APIs/Application-Management.html#concept.dita_53d747cd-ff39-4b31-ad67-e2c007b068f1