There are use cases where user logout is correctly performed and can be confirmed from logs but user is still able to access certain protected applications.

Siteminder release: 12.8.x, 12.9
component: policy server 
OS: ALL 

SiteMinder maintains a user's session using a cookie called SMSESSION.

When there are multiple web servers involved and user navigates multiple hostnames, there is a chance where some agents have different configuration relating to the cookie domains  which can result in multiple SMSESSION cookie due to different cookie flags being used.

[Flow]

1. User access "https://www.example.com/protected/" and login.
    This Web Agent has "cookiedomain=.example.com" so SMSESSION cookie is set using "Domain=.example.com" flag.
2. User navigates to "https://application.sub.example.com/protected/" and was able to SSO.
    This Web Agent has "cookiedomain=.sub.example.com" so SMSESSION cookie is set using "Domain=.sub.example.com" flag.

Here the #2 gets "Domain=.example.com" cookie which was generated by #1.
Browser finds the "Domain=.example.com" matchs "https://application.sub.example.com" so SMSESSION cookie was submitted.
#2 Web Agent accepts the cookie as the session information was valid and updates the cookie. Here the #2 Agent will set SMSESSION cookie with based on its ACO setting "cookiedomain=.sub.example.com".
This results in setting SMSESSION cookie using "Domain=.sub.example.com" flag.

As there are no SMSESSION cookie which had "Domain=.sub.example.com" flag, browser basically sets a new SMSESSION cookie.

This result in 2 SMSESSION cookies when visiting "https://application.sub.example.com" as both ".example.com" and ".sub.example.com" match.

3. User now navigates back to #1 and logout.
Here browser only submits ".example.com" cookie.

Agent will perform the logout by setting SMSESSION (for .example.com) value to LOGGEDOFF.

4. User now navigates to #2 and both cookies get submitted.
"SMSESSION=LOGGEDOFF; Domain=.example.com"
"SMSESSION=XXXYYYZZZ; Domain=.sub.example.com"

There is no HTTP specification to say which cookie must be submitted first.
As both SMSESSION cookies are submitted, it could be a random use case but as long as the ".sub.example.com" cookie gets submitted first, it is a valid session so the protected resource can be accessed.

If ".example.com" cookie was submitted first then the browser would have been redirected to a login page.

It is important to ensure all the agents will have synchronized cookie settings so they will be overwriting each other resulting in just 1 SMSESSION cookie at the browser.

In the above sample, "cookiedomain=.example.com" would be the correct configuration.