This document is regarding smsession string content composition itself.
Will a smsession cookie be blocked once the cross-scripting check is turned on in Agent ACO?
Generally speaking, a smsession cookie is not passed directly through a URL via HTTP GET.
Even when occasionally it does, or if a customized redirect is involved, turning on the cross-scripting check should not impact the request itself.
The reason is that Siteminder smsession is a Base64-encoded string.
Its standard index table can be found over Internet sites and has a 64-character alphabet consisting of upper- and lower-case Roman letters (A–Z, a–z), the numerals (0–9), and the "+" and "/" symbols. The "=" symbol is also used as a special suffix code.
Generally, you will not see any of cross-scripting checking in a client configuration matching the above characters mentioned.
For Base64-encoding in general, https://en.wikipedia.org/wiki/Base64