SiteMinder user directories can have Identity Manager handle password changes for users. In this configuration, a user may login to a SiteMinder protected resource and then be forced to reset their password due to password expiration or some other policy that forces a password change. In these cases, the users are authenticated and given an SMTOKEN value by the policy server. The user is then redirected to a public page on the Identity Manager server that is associated with this user directory. Identity Manager takes the SMTOKEN value and asks the policy server to validate it and provide the username that needs to have the password reset.
In some cases the policy server that Identity Manager asks to valid the SMTOKEN value is NOT the policy server that issued the token. This can happen if there are multiple policy servers protecting different resources and those policy stores have a shared key store.
This error may occur if the policy store's system times are not in sync, since the SMTOKEN value has a limited lifespan.