While using VIP Authentication Hub to authenticate users from Siteminder, Access Gateway is throwing a 500 error.  The following is seen in the FWSTrace.log:
FWSB_USER_AUTHENTICATION_FAILED

ALL

The Auth Hub implementation was using multiple data centers and active-active Oracle DB setup.  The problem was occurring when the request from Access Gateway to validate the ID Token went to a different data center than where the user was authenticated.  Due to replication latency, the request was received before the user's session data could be replicated, and thus Access Gateway received a 400 response from Auth Hub.

Adjusting the transactionalDataReadsRetryCount and transactionalDataReadsRetryWaitPeriodMillis parameters in Auth Hub to accommodate the replication latency resolved the problem.