Introduction: 

This document is regarding smsession string content composition itself.

Question:

Will a smsession cookie be blocked once the cross-scripting check is turned on in Agent ACO?

Environment:  

Windows/Unix

Answer:

Generally speaking, a smsession cookie is not passed directly through a URL via HTTP GET.

Even when occasionally it does, or if a customized redirect is involved, turning on the cross-scripting check should not impact the request itself.

The reason is that Siteminder smsession is a Base64-encoded string. 
Its standard index table can be found over Internet sites and has a 64-character alphabet consisting of upper- and lower-case Roman letters (A–Z, a–z), the numerals (0–9), and the "+" and "/" symbols. The "=" symbol is also used as a special suffix code.

Generally, you will not see any of cross-scripting checking in a client configuration matching the above characters mentioned.

Additional Information:

For Base64-encoding in general,  https://en.wikipedia.org/wiki/Base64