When setting 'yes' to SecureURLs in ACO parameter, but WebAgent can not encode hash(#) value in URL, despite other delimiter string (e.g <,>,",%) are encoded.
This is related to Web browser specification, not CA SSO side.
The URL fragment (everything from # on) not even gets sent to the server.
They are regarded as locations within the document and are therefore not exposed to the server.
Please refer to the following additional information.
Hash character in URLs (accessing and redirecting in Apache)
How does IIS URL Rewrite handle # anchor tags