It is the responsibility of the web application to collect the client IP address and provide the same to CA Risk Authentication server during evaluateRisk() API call.
Below are some approaches that we can suggest to collect the same in your web application.
The end user accessing your online application might be a home user or might be accessing it from their corporate network. In case of latter category of users, chances are that they might be "hidden" behind a proxy server. As a result, the way you will collect the IP address of an end user who is accessing your online application from behind a proxy will be different from the user who accesses it directly from home.
If the end user is accessing your application directly, then you can use the getRemoteAddr() method of the HttpServletRequest interface in your JSP. This method returns a string that contains the IP address of the client that sent the request.
If there is load balancer/proxy in between, the web application can make use of "X_FORWARDED_FOR" header to collect actual client IP address.
For example, below is a sample for JSP based applications
String client_ip = request.getHeader("X-Forwarded-For");
Note: there may be many other ways possible, using which your application can collect actual end user's IP address.