After a timeout of 20 minutes from inactivity in an application, Siteminder will not accept credentials when attempting to authenticate. We are forced to close the browser to re-authenticate.
There are circumstances under which the Web Agent may set a host-only session cookie, such as if the CookieDomainScope parameter is configured with too high a value, or the cookie domain cannot be resolved. This can result in the client having multiple valid session cookies. Upon the idle timeout, only one of those session cookies can be invalidated. This can leave the user's session in an indeterminate state, causing unpredictable behavior.
In this environment the users were also receiving session cookies without any corresponding set-cookie statement in the http trace data. This can happen if the IIS cache is enabled.
IIS server was setting a host-only cookie that could not be invalidated by the logoff URI feature. Verify that the CookieDomainScope is not set to too large a value and that cookie domain resolution is working as expected.
Set Agent Configuration Object parameter IISCacheDisable='YES' on the IIS agent to assure IIS does not serve cached session cookies to clients.
Using an HTTP trace tool, such as Fiddler, is invaluable for analyzing and troubleshooting cases such as this.