When perfoming create SSOToken and decode SSOToken on Agent API, if the current keys do not match, PaddingException is thrown and does not proceed with last key process. As a result, AgentAPI fails to SSO and an error message below appears in Agent API log .

"AgentAPI decode ssoToken result : RETURN_CODE=[-1]"

Crypto-J which is Library of RSA in AgentAPI is designed to throw PaddingException if current keys do not match.

This issue may  occur under the condition where..

-Using FIPs Only mode.

-Using Agent API - CA SSO 12.0 SP03 or later version.

-Agent key rollover is configured

This issue occurs due to the design of RSA in AgentAPI. 

It will be changed on AgentAPI side not to throw PaddingException even if current keys do not match.

However, the schedule for the change is not fixed yet.