We are trying to implement update as followed:

Does this logic work?

As per your note below, "ATTR_MAXSESSIONTIMEOUT Maximum time a session can be active If the last accessed time is low then update the cookie."

Get Current Time:

Use ${gateway.time} to capture the current epoch time as currentEpoch.

Calculate Durations:

idleTime = currentEpoch - ATTR_LASTSESSIONTIME

sessionDuration = currentEpoch - ATTR_STARTSESSIONTIME

Evaluate Expiration Conditions:

If idleTime > ATTR_IDLESESSIONTIMEOUT:  Session has expired due to inactivity

If sessionDuration > ATTR_MAXSESSIONTIMEOUT:  Session has expired due to overall lifetime

Check for Session Refresh:

Calculate idleThreshold = ATTR_IDLESESSIONTIMEOUT * 0.8

If idleTime > idleThreshold:  Session is nearing idle timeout – refresh the session

Gateway 11.x

The solution does not need to be that complicated 

Simple policy: Tactical Solution “Evaluate Math Expression” is needed

Line 17: Set context variable value (seconds) to delays update of session cookie: ssoGracePeriod  to 60 seconds (set variable to value specific for your environment)

Line 25: Math equation ${ATTR_LASTSESSIONTIME} + ${ssoGracePeriod}  Variable math1

Line 26 Block:  “At least one assertion must evaluate to true”

Line 27: Compare variable from line 25 ${math1} is greater than or equal to ${gateway.time.seconds}  epoch of current Gateway time 

This comparison true until the gateway time exceeds the grace period, once false: 

Line 28: Cookie is updated 

Sample pic of policy: