In the WebAgentTrace.log there are incidents where the redirect to /affwebservices/public/stateredirect will have strange query parameter with value that triggers BadCssChars.

[CSmHttpPlugin.cpp:7206][CSmHttpPlugin::BadCSSCharsFound][][][][][][][][][][][][][][][][URL contains BadCssChars: '/affwebservices/public/stateredirect?GUID=1&SMAUTHREASON=0&SMAGENTNAME=-SM-XXXX&TARGET=-SM-HTTPS%3A%2F%2FXXXX%2Faffwebservices%2Fredirectjsp%2Fredirect%2Ejsp&CHALLENGE-METHOD=S256&REALMOID=XXXX&ui_locales=en-US&METHOD=GET&strangequeryparameterX=Y%22&az_redirect_uri_param_only=XXXX%2526scope%253Dopenid&TYPE=34603009'.]

The query parameter name appears to be random and the value sometimes contain values known to be used in CSS attack.

SiteMinder does not add those suspicious querystring.

It is possible there is an on-going attack that is trying to see if they can get any code to be executed to explore any vulnerabilities.

Probably it is a formulated URL that is directly hitting the /affwebservices/public/stateredirect and not user initiated that gets redirected to this stateredirect.

Check to ensure those query parameter names are not related to SiteMinder or customer's application.

Check if there are any uses reporting access problems.