Description:

Is it possible to determine the protection-level of an SMSESSION cookie or the session-spec via the CA SiteMinder Java Agent API?

Solution:

The session-spec field of the SMSESSION cookie is encrypted as it is transmitted by the Web Agent to the Policy Server to take decision about authentication and authorization. By decoding the SMSESSION cookie, you get the information about:

attr_userdn
attr_sessionspec
attr_username
attr_clientip
attr_devicename
attr_idlesessiontimeout
attr_maxsessiontimeout
attr_startsessiontime
attr_lastsessiontime

See Sm_AgentApi_DecodeSSOToken function description. This will be used for the Web Agent. But you won't get the protection level as it is to the Policy Server to determine if the user has to re-authenticate and not the Web Agent.