When performing an unsuccessful POST to the out of the box login.fcc, the response is 200 which is allowing user info to be cached when the "Browser back button"  or "Refresh button" are used on browser.

If a form posts sensitive data through a POST request, the server should return 302 object moved response to redirect users to a different page.

This avoids cashing sensitive information.

Any Supported Siteminder Agent

302 response from Siteminder will only be returned upon a successful POST of the creds and successful authentication otherwise it will be 200.

Since the login.fcc is a sample login page, there are couple of options you can do to overcome this:

***** 1) To prevent browsers from storing credentials entered into HTML forms, include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).

for example , set the autocomplete as shown below , you need to do it in your login.fcc and login_en-US.fcc if you are using the english language.

      <td ALIGN="LEFT" >
        &nbsp; <input type="text" name="USER"  autocomplete="off" size="30" style="margin-left: 1px">
      </td>

***** 2) use a customized login page where credentials are posted via an iframe or JavaScript.  If the credentials are posted via JavaScript sec-fetch-dest becomes empty.  

The credentials are posted here through a child request.