Siteminder is protecting an application and acting as an OIDC Resource Provider while Auth Hub is handling the authentication acting as Authorization Provider.  After authentication, when the user tries to access the protected resource, the user is presented with a login prompt rather than the expected behavior in which the application would be served.

All Siteminder Releases

Siteminder's federation web services (/affwebservices application) was hosted in one cookie domain while the target application was hosted in a separate cookie domain.  This caused the browser to not present the session cookie when requesting the application.

There are two ways this could be resolved. 

Implementing a cookie provider on the agent that's protecting the application would allow the user to automatically obtain a session cookie for the application's domain based on the session cookie that was set by /affwebservices. 

Alternatively, creating a virtual hostname in the application's domain and allowing users to access /affwebservices by this new virtual hostname would assure that the user receives a cookie in the application's domain during Siteminder authentication.  If using Access Gateway, this is easily done by adding the new virtual hostname to the server.conf file.  The Auth Hub and Siteminder OIDC configurations would also need to be updated with the new hostname. 

Note that changing the CookieDomain parameter in the Agent Configuration Object used by /affwebservices will not work because then the domain in the browser request would not match the domain the session cookie is set for and thus the browser would not accept that cookie. 

More information about session cookies and cookie provider functionality can be found in the following two links:
Single Sign-On Cookie Domains and Web Agents
Configure Web Agent Single Sign-On Settings