Running CA Access Gateway (SPS) as Authorization Provider, once the OIDC request is sent back to the endpoint Application, then the request doesn't have nonce variable and its value.

Components have been upgraded 12.8SP8CR01 to 12.9 recently.

The client sends nonce=<value> but in IDP response only code=<value> is seen, and the nonce is missing.

The behavior is expected, as per the protocol definition.

The nonce, once the Authorization Provider processes the transaction, is put in the id_token for security reasons, and not kept in the URI (1).

The SiteMinder 12.9 documentation reflects the same expected behavior (2).

1. Mitigate Replay Attacks When Using the Implicit Flow
   
   
2. Authentication Using Authorization Code Flow