Upon trying to access a SAML application via SP-initiated request which contains ForceAuthn=True, the request enters an endless loop.  

All supported environments

The load balancer was performing hostname translation between the browser and Siteminder, and this included the domain name.  Thus, the host/domain that Siteminder was receiving did not match the host/domain the browser was requesting.  This caused Siteminder to attempt to set cookies for a different domain than requested, forcing the browser to reject the cookies due to the domain mismatch.  Since ForceAuthn was enabled on these requests, Siteminder was relying on cookies to determine whether the user needed to reauthenticate or not.  Without the expected cookies presented when the user returned after successful IDP authentication, it looked to Siteminder as though the user needed to reauthenticate and was thus redirected again for authentication, creating a loop.

Since most Siteminder environments rely on cookies, it is important that cookies are set in a manner that allows the browser to both accept the cookies set by Siteminder as well as present those cookies back to Siteminder when accessing resources.  

In environments that only need to support a single cookie domain per agent, setting the CookieDomain ACO (Agent Configuration Object) parameter would be a way to work around a load balancer that is performing hostname translation.  This setting instructs the agent to use the specified cookie domain for all requests regardless of the incoming HTTP_HOST header value.