After the 20 min idle timeout, Siteminder doesn't allow the user to reauthenticate.

Document ID : KB000074766
Last Modified Date : 23/03/2018
Show Technical Document Details
Issue:
After a timeout of 20 minutes from inactivity in an application, Siteminder will not accept credentials when attempting to authenticate.  We are forced to close the browser to re-authenticate. 
Cause:
There are circumstances under which the Web Agent may set a host-only session cookie, such as if the CookieDomainScope parameter is configured with too high a value, or the cookie domain cannot be resolved. This can result in the client having multiple valid session cookies.  Upon the idle timeout, only one of those session cookies can be invalidated.  This can leave the user's session in an indeterminate state, causing unpredictable behavior.  

In this environment the users were also receiving session cookies without any corresponding set-cookie statement in the http trace data.  This can happen if the IIS cache is enabled.
Resolution:
IIS server was setting a host-only cookie that could not be invalidated by the logoff URI feature.  Verify that the CookieDomainScope is not set to too large a value and that cookie domain resolution is working as expected.

Set Agent Configuration Object parameter IISCacheDisable='YES' on the IIS agent to assure IIS does not serve cached session cookies to clients.
Additional Information:
Using an HTTP trace tool, such as Fiddler, is invaluable for analyzing and troubleshooting cases such as this.