- API Gateway performing using Authentication with Siteminder through its built in Siteminder Agent (custom SDK agent) 

- WAOP deployed on Tomcat rejecting the cookie with Following Error 

[FWSBase.java][isValidSession][Could not decryptSMSESSION cookie. Error message: Tried out all the decrypt keys, decryption failed..]

All supported WAOP releases 

Since SMSESSION cookie is generated by the Custom agent within the API Gateway, the cookie string has the "=" character at the end of the encrypted cookie string.

The Tomcat application server version9.x was removing the "=" from the cookie string causing the WAOP agent to fail to decrypt it.

As this is an Application Server related issue specifically with Tomcat, there are two settings referenced in the Tomcat official guide "allowNameOnly" and "allowEqualsInValue" which needs to be set for the Tomcat App server to allow the trailing "=" in the cookie header.

Please see following official Tomcat guide for additional details -->  https://tomcat.apache.org/tomcat-9.0-doc/config/cookie-processor.html