After upgraded to 12.9, user encounters HTTP  error 500 on Access Gateway side.

[mm/dd/yyyy][hh:mm:ss][2392166][140317571626752][a35ef1a9-########-########-########-########-9e][TokenService.java][doValidateCommonDataAndSetContext][client_id=########-####-####-####-########7b7f]
[mm/dd/yyyy][hh:mm:ss][2392166][140317571626752][a35ef1a9-########-########-########-########-9e][TokenService.java][doValidateCommonDataAndSetContext][client_secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXSvg=]
[mm/dd/yyyy][hh:mm:ss][2392166][140317571626752][a35ef1a9-########-########-########-########-9e][TokenService.java][doValidateAccessTokenRequestAndSetContext][code=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXwbz0%3D]
[mm/dd/yyyy][hh:mm:ss][2392166][140317571626752][a35ef1a9-########-########-########-########-9e][TokenService.java][doValidateAccessTokenRequestAndSetContext][redirect_uri=null]
[mm/dd/yyyy][hh:mm:ss][2392166][140317571626752][a35ef1a9-########-########-########-########-9e][TokenService.java][doValidateAccessTokenRequestAndSetContext][code_verifier=null]
[mm/dd/yyyy][hh:mm:ss][2392166][140317571626752][a35ef1a9-########-########-########-########-9e][TokenService.java][processRequest][ Calling OpenIDConnectTunnelClient for accessToken]
[mm/dd/yyyy][hh:mm:ss][2392166][140317571626752][a35ef1a9-########-########-########-########-9e][OpenIDConnectTunnelClient.java][callOpenIDConnectAccessTokenRequest][Tunnel result code: 2.]
[mm/dd/yyyy][hh:mm:ss][2392166][140317571626752][a35ef1a9-########-########-########-########-9e][OpenIDConnectTunnelClient.java][callOpenIDConnectAccessTokenRequest][Exception caught in class com.ca.federation.webservices.openidconnect.d, method callOpenIDConnectAccessTokenRequest: java.lang.IllegalArgumentException: "Cannot parse bytes to a Response"]
[mm/dd/yyyy][hh:mm:ss][2392166][140317571626752][a35ef1a9-########-########-########-########-9e][TokenService.java][processRequest][ AccessTokenTunnel call failed ]
[mm/dd/yyyy][hh:mm:ss][2392166][140317571626752][a35ef1a9-########-########-########-########-9e][OpenIDConnectServiceBase.java][sendJSONErrorResponse][ Sending error JSON message: 
{"error":"invalid_request","error_description":"Internal Server Error."} 
with error code:500]

smtracedefault.log

[mm/dd/yyyy][hh:mm:ss].275][3976666][139974359889664][AccessTokenTunnelService.java][tunnel][CodeExpiry retrieved from SessionStore: 1763098839][][][][][][][][][][][a35ef1a9-########-########-########-########-9e][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[mm/dd/yyyy][hh:mm:ss].275][3976666][139974359889664][AccessTokenTunnelService.java][tunnel][ Check for az_code expiry with current time][][][][][][][][][][][a35ef1a9-########-########-########-########-9e][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[mm/dd/yyyy][hh:mm:ss].275][3976666][139974359889664][AccessTokenTunnelService.java][tunnel][JSON Data before decrypt : eyJhYyI6Ik9...................CI6IjE1In0=][][][][][][][][][][][a35ef1a9-########-########-########-########-9e][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[mm/dd/yyyy][hh:mm:ss].275][3976666][139974359889664][AccessTokenTunnelService.java][tunnel][Data after unmarshalling from decrypted JSON: InternalData [azCode=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXbz0=, clientId=########-####-####-####-########7b7f, userId=CN=########-####-####, redirectURI=https://test.###.###, scope=openid profile1, authTime=1763098647, userDirectoryOID=0e-########-####-####-####-########0cb3, isRevoked=false, isRedirecturiPresentInAZFlow=false, refreshTokenIssuedTime=0, tokenIssuedTime=0, authLevel=15, ]tokenIssuedTime=0, tokenIssuedTimeMillisec0,authLevel=15, , refreshTokenRotationCounter=0,]][][][][][][][][][][][a35ef1a9-########-########-########-########-9e][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[mm/dd/yyyy][hh:mm:ss].275][3976666][139974359889664][AccessTokenTunnelService.java][tunnel][Check if the access_token is alredy issued :null][][][][][][][][][][][a35ef1a9-########-########-########-########-9e][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[mm/dd/yyyy][hh:mm:ss].276][3976666][139974359889664][AccessTokenTunnelService.java][tunnel][Compare request authorizationCode=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXbz0= with saved code:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXbz0=][][][][][][][][][][][a35ef1a9-########-########-########-########-9e][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[mm/dd/yyyy][hh:mm:ss].276][3976666][139974359889664][AccessTokenTunnelService.java][tunnel][Retrieving client config from XPS store with clientid: ########-####-####-####-########7b7f][][][][][][][][][][][a35ef1a9-########-########-########-########-9e][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[mm/dd/yyyy][hh:mm:ss].276][3976666][139974359889664][AccessTokenTunnelService.java][tunnel][Application Type is Confidential,Performing Client Authentication][][][][][][][][][][][a35ef1a9-########-########-########-########-9e][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[mm/dd/yyyy][hh:mm:ss].276][3976666][139974359889664][AccessTokenTunnelService.java][tunnel][Exception caught. Exception: java.lang.NullPointerException
    at com.ca.federation.openidconnect.tunnel.AccessTokenTunnelService.tunnel(Unknown Source)
    at com.netegrity.policyserver.smapi.TunnelServiceContext.tunnel(TunnelServiceContext.java:245)
][][][][][][][][][][][a35ef1a9-########-########-########-########-9e][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[mm/dd/yyyy][hh:mm:ss].276][3976666][139974359889664][CServer.cpp:7113][CServer::Tunnel][Return from tunnel call JavaTunnelService][-1][][][][][][][][][][][][][][SmJavaAPI: Expression evaluation returned a null][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[mm/dd/yyyy][hh:mm:ss].276][3976666][139974359889664][CServer.cpp:7124][CServer::Tunnel][Status: Tunnel error: service 'smjavaapi', function 'JavaTunnelService'. SmJavaAPI: Expression evaluation returned a null][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[mm/dd/yyyy][hh:mm:ss].276][3976666][139974359889664][CServer.cpp:7131][CServer::Tunnel][Leave function CServer::Tunnel][213][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[mm/dd/yyyy][hh:mm:ss].276][3976666][139974359889664][CServer.cpp:6640][CServer::ProcessRequest][Leave function CServer::ProcessRequest][213][][][][][][][][][][]

OS: Red Hat Enterprise Linux Server release 8
Policy server version : 12.9; Update: 0.00; Build: 3079

Legacy oidc client object configuration is missing default attribute value:  

EnablePKCESupport:        false

EnableWellKnownConfig:  false

Both attributes are introduced in newer oidc features of later 12.8 release.

If this legacy oidc client was created new (XID will change), or edited at some point in admin ui, it would have populated the default attribute value.

XPExplorer can be used to verify the object properties.

Please note if the same legacy oidc client was recreated new in admin UI, its XID will change, which could have oidc partnership dependency ripple effect. 

This may NOT be necessary or what desired outcome to be.

If default attribute parameters are NOT there, then run XPSDDInstall SmMaster.xdd to update your policy store schema to match with upgraded policy server version.

If default attribute parameters are there but without value, then choose either option below:

1. Use XPExplorer to update the value.

2. Use admin ui, modify the oidc client object,  but change nothing, and save it. 

After the object properties are updated, code fix (or latest patch of 12.9) is still recommended by Broadcom engineering for mitigation of other NullPointerException scenarios.