MyTechReference - Technical Notes

by IDAMGroup

CA Siteminder Single Sign-On

How to configure Single Sign-On Across Multiple Cookie Domains

When user logs into Website A and while switching to website B on the same browser, they are asked to enter the user credentials which are in different cookie domain. The ability to pass single sign-on information across multiple cookie domains enables a user to authenticate at a site in one cookie domain, and then go to a site in another cookie domain without being rechallenged for credentials.

In this post i will show you how to Configure Single-Sign-On  for different domains pointing to same user store.

You can configure SSO for domains pointing on different user store as well which i will explain in different post

What is Cookie domain?

For the below domains

Here cookie domain is ” *” and “*”

What is Cookie provider ?

Cookie Provider is a siteminder Webagent which ensure that it has siteminder SMsession cokiee in the cookie provider domain

Only one Cookie Provider can be configured in a deployment

Diagram for SSO


Siteminder SSO

How SSO works

  1.  User access URL
  2. The redirects to Cookie Provider for cookie
  3. The cookie provider checks whether it has cookie or not and then sets the SMSESSION to No
  4. The reads that SMSESSION value and challenges the user if it is No.
  5. Once the user is authenticated in it redirects to Cookie Provider and set the cookie as
  6. Redirects to and set SMSESSION cookie for
  7. Redirects to protected resource


So when a user requests a protected resource in a domain within the single-sign on environment, and is challenged for credentials for authentication and when the user is authenticated, the following cookies are set in the browser of the user:

    • The local cookie for the domain where the user has authenticated.
    • The cookie provider sets the cookie.
  1. The user can navigate between the domains in the single-sign on environment without being re challenged.


To enable Single Sign On

On the cookie provider webagent  in this example  it is

Infrastructure –> Agent Configuration Object–> WebOne_ACO

Enable RequireCookies




Enable PresistentCookies




Specify CookieDomain





If the CookieDomainScope parameter is set to 2, the cookie domain would be and respectively

Enable IP Address Validation for Single Sign-On Environments

An unauthorized system can monitor packets, steal a cookie, and use that cookie to gain access to another system. To prevent a breach of security by an unauthorized system, you can enable or disable IP checking with persistent and transient cookies





Modify the Session Update Period




Enter the Cookie provider URL

Go to second agent  IBMHTTP_ACO  ACO and set the Cookie provider URL and specify the Cookie Provider  URL.



Click Ok and submit the changes




Access and switch to on the same browser, user should not be challenged for credentials.



Disclaimer: Content posted here worked for me and may not guarantee success, should be used as reference only and please use it cautiously.