REST API client call with XSRF/CSRF (Cross-Site Request Forgery) causes an HTTP 405 (METHOD Not Allowed) error on a REST API FORM PostBack when the site is protected by SiteMinder.

If the previous response to the REST API client call contains a set-cookie statement, the client is unable to set the required "X-XSRF-TOKEN" header on the subsequent request, resulting in the HTTP 405 (METHOD Not Allowed) error.

To prevent the Single Sign On "set-cookie" from being passed to the REST API client call, set the "UseHTTPOnlyCookies" ACO parameter to "Yes" for the WebAgent protecting the site.