Tracksessiondomain parameter in ACO and use FQDN as the cookie domain


Article ID: 40655


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



In the following ACO configuration, users get HTTP 500 in the browser and [10-0017] error in the agent log while trying to login to “”.

Note: The FQHN( and the cookiedomain( are the same value.

1.    Tracksessiondomain=Yes

2.    FccCompatMode=Yes


Following is a sample from login agent trace log.

[01/24/2015][14:12:21][5144][2144][SmAdvancedAuthCore.cpp:916][SmAdvancedAuthCore::validateTargetDomain][000000000000000000000000d32611ac-1418-543eb905-0860-01944823][XX.XX.XX.XX][][][/index.html][][Target does not contain cookieDomain:]

[01/24/2015][14:12:21][5144][2144][SmAdvancedAuthCore.cpp:162][SmAdvancedAuthCore::GatherCredentials][000000000000000000000000d32611ac-1418-543eb905-0860-01944823][XX.XX.XX.XX][][][/index.html][][Validating target for 4.x compatibility mode.]

[01/24/2015][14:12:21][5144][2144][SmAdvancedAuthCore.cpp:168][SmAdvancedAuthCore::GatherCredentials][000000000000000000000000d32611ac-1418-543eb905-0860-01944823][*XX.XX.XX.XX][][][/index.html][][Target domain does not match the local domain. Will not redirect the user to the target.]


12.51, 12.52 Agents


The behavior of validating target domain is different in 4x compatible mode(FccCompatMode=Yes) when compared to normal mode(FccCompatMode=No).

In normal mode, target is validated based on the entries in the ACO validTargetDomain, if the list is empty user is not redirected to the target.

Whereas in 4xcompat mode, if the entries in the ACO ValidTargetDomain are empty, then user is validated based on cookie domain.


If FccCompatmode=Yes, User is Authenticated but not redirected to the target. User will see error 500 in the browser.

If FccCompatmode=No, User is Authenticated and redirected to the target.


1. Run the agent in Normal Mode(FccCompatMode=No) if you want to use the cookie domain as same as hostname.

2. If you want to run your agent in 4x Compatible Mode(FccCompatMode=Yes), you have to make sure that cookie domain is part of hostname not the FQDN.


Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus