Description:

You would like to return the user dn (returned in the default attribute SM_USERDN) in an attribute called DN.
You defined the user response DN=<%userattr="SM_USERDN"%> but it is not working; nothing is returned (not even an empty variable) even if properly bound.

Solution:

As described in the Policy Server Configuration Guide:

Chapter 15: Responses and Response Groups - Section - How SiteMinder Processes Responses - SiteMinder Generated User Attributes
Some attributes are generated at the policy server level and other at the Web agent level (which means that you can not use them in a response).

%SM_USERDN: is generated at the Web agent level and can not be used in a response
For an authenticated user, the Web Agent populates this http header variable with the DN as determined by the Policy Server. In the case of certificate-based authentication, this attribute can be used to identify a user.

%SM_USERNAME: is generated at the policy server level and can be used in a response
For an authenticated user, this attribute holds the user DN as disambiguated by SiteMinder. For an unauthenticated user, this attribute holds the user ID as specified by the user in the login attempt.

Moreover some attributes are not available for all Authentication/Authorization/Impersonation events, please check the Availability of SiteMinder-generated Response Attributes matrix in the Policy Server Configuration Guide for more information.