API Gateway calls SiteMinder policy server to protect and provide access control to a web application which is identified with some URLs.  

The standard Siteminder Apache agent includes Agent Configuration Object (ACO)  “BadCSSchars" that is used to prevent XSS Attacks.  Does the API Gateway agent support “BadCSSchars" ?

Gateway 11.x

The Agent for APIM is a custom  agent built with the SSO SDK, it does not have all the same capabilities as the standard Apache agent., it aligns more with WebLogic/WebSphere SSO agents.   The type of features asked are part of the upper agent (Agent Configuration Object  - ACO) 

Docs link for “CA Single Sign-On Context Variables”

List of support ACO parameters supported:

“Fetch ACO Properties to the Gateway Policy for Composing SMSESSION Cookie with SSOToken”

ATTR_ACO_SSOZoneName constitutes SSOZoneName property

ATTR_ACO_CookiePath and ATTR_ACO_CookiePathScope constitute Path property

ATTR_ACO_CookieDomain and ATTR_ACO_CookieDomainScope constitute Domain property

ATTR_ACO_PersistentCookies and ATTR_ACO_CookieValidationPeriod constitute Expires property

ATTR_ACO_UseSecureCookies is used to indicate secure flag

ATTR_ACO_UseHttpOnlyCookies is used to indicate http only

Except for the above ACO parameters, Gateway does not use any other ACO parameters