search cancel

Single Sign On Problems between V6 and R12


Article ID: 7642


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


Failed SSO between to separate environments (disparate policy stores).  Looking for what needs to be in place in order to achieve SSO when clients navigate between webserver in V6 and R12 



Two environments where the policy server point to different policy stores. Store 1 Oracle LDAP and Store 1 CA Directory 12 SP18


SSO fails when navigate between environments because the session ticket is not the same.  SMSESSION cookie was able to be decoded (Agent keys were the same), however when the agent sent the session spec to the policy server it was not able to read session spec, this is logged as “invalid key in use” in the smaccess log and trace log of the policy server.



Session ticket is unreadable v6 and r12 (V6 will treat as NULL, R12 will fail to valid sessions

Option to move past this issue

Reset the session ticket in both environment to a known value (NOTE this will force all current logged in session to be rechallenged


This is done in the adminUI see example:

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKO9AAO" alt="session-key.png" width="915" height="513">

Additional Information

Name of the UserDir Object in Admin UI must be defined with the same name in both policy stores; also the authenticated user DN must also be the same


AuthValidation functionality can be used if (a) is not possible

Common errors to look for when SSO fails:

  • Failed to decrypted (SESSION keys is different)

ERROR WebAgent Trace:

[DecodeCookie][WARNING: Failed to decrypt SMSESSION= cookie.]

  • Invalid key in use

SESSION Ticket is not the same or “custom agent” created SMSESSION cookie which is resolved by setting ACP parameter AcceptTPCookie top yes


Error Policy Server trace Az [** Status: Not Authorized. Invalid key in use]

  • User directory name problem

User “A” is not Authorized in second environment - User directory name problem

Error Policy Server:

[00:15:48][** Status: Not Validated. Failed to resolve user directory 'Us


erStore_Authentication', '0e-3dffab22-c0db-0028-0000-165100001651']


1558700001743000007642_sktwi1f5rjvs16ow1.png get_app