Setting up a Federation between two different environments, on both sides, SiteMinder acts as IDP and SP.
[05/17/2016][08:30:07][12418][2661268336][][FWSBase.java][isValidSession][Found SESSION cookie: SMSESSION]
[05/17/2016][08:30:07][12418][2661268336][][FWSBase.java][isValidSession][Trying to validate using SMSESSION cookie.]
[05/17/2016][08:30:07][12418][2661268336][][FWSBase.java][isValidSession][Session ID is: /Pz43N5w8p45IpngiB4YrAcN3ec=]
[05/17/2016][08:30:07][12418][2661268336][][FWSBase.java][isValidSession][Session Spec is: Ce784eYnjA [...] ]
[05/17/2016][08:30:07][12418][2661268336][][FWSBase.java][isSessionIdle][Verifying validity of session cookie [SMSESSION] retrieved]
[05/17/2016][08:30:07][12418][2661268336][][FWSBase.java][isSessionIdle][Request doesn't contain session ID header. Session cookie[SMSESSION]is not valid.]
Siteminder all versions;
The Federation Service finds an existing SMSESSION cookie. It finds the Session ID and Session Spec value from that cookie.
But when it tries to verify the validity of this retrieved session cookie, it complains that there is no "Session ID" *header*.
So, the problem is the lacking of a Session ID header.
As a result, it ignores this session cookie and says "Session cookie [SMSESSION] is not valid" and redirects to the authentication URL.
Because of the ignoreurl=/affwebservices/public ACO parameter, the URL that contains /affwebservices/public will not get authorized, hence the required headers will not be set.
So when affwebservices decoded the SMSESSION it was fine, but later when it relied on headers set from normal CA Access Gateway (SPS) / Web Agent it would not find them, due to this Federation Service will fail to validate the session and redirecting back to Authentication URL.