but the login.fcc page should always be accessible to be processed.
Tech Tip : CA Single Sign-On :: Web Agent::How to restrict user from using login.fcc directly https://communities.ca.com/community/ca-security/ca-single-sign-on/blog/2018/02/14/tech-tip-ca-single-sign-on-web-agenthow-to-restrict-user-from-using-loginfcc-directly
2 - You might check the Global Delivery Module :
Authentication Using Login Sequence for CA Single Sign-On
SiteMinder customers have expressed a desire to have the ability to automatically apply different authentication schemes to different groups of users; if the user fails to provide correct credentials for one authentication mechanism, automatically fail over to a different authentication mechanism; or combine multiple authentication mechanisms into a sequence that the user must successfully pass through to get authenticated. The Login Sequence Authentication (SmLoginSequenceAuth) solution extends the functionality of SiteMinder’s standard authentication schemes in order to address the above requirements.
CA Global Delivery Packaged Work Product Download Index https://support.ca.com/us/product-content/recommended-reading/technical-document-index/ca-global-delivery-packaged-work-product-module-index.html?id=%7B3B2E2905-11AF-4479-B309-63F113CA5D57%7D?id=%7B3B2E2905-11AF-4479-B309-63F113CA5D57%7D#SSO
3 - You might be able to handle idle timeout and max timeout redirection with the ACO parameters :
Redirect a User after a Session Time-out https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/web-agent-configuration/session-protection/redirect-a-user-after-a-session-time-out