Users are receiving a 400 error for an SP-Initiated POST request. Session store is enabled. FWSTrace.log shows assertion successfully generated, but immediately after shows an incoming GET request from same user. It's clear that the POST data is being preserved until this phantom assertion is generated. It's unclear why the browser isn't POSTing the assertion to the ACS URL. Customer did note that in the failing use case he does see the user redirected back to the auth scheme after successfully authenticating, suggesting that something is going wrong with the SecurID auth scheme in use (Fiddler was not avilable during the remote session).
Browser is sending X-Requested-With: XMLHttpRequest request header after authentication and is thus refusing to auto-POST the assertion to the remote domain.
The X-Requested-With: XMLHttpRequest request header needs to be removed or prevented before an authenticated user reaches saml2sso, else the browser will refuse to POST the assertion to the remote domain.