Hi Stefan,
Policy server doesn't have authentication cache. So yes, it queries the user directory (AD in your case) for every authentication requests (for each user).
It however has "User Authorization/Az" Cache :
User AuthorizationCache:
The User Authorization cache remembers unique PolicyAuthorization results by User Directory OID and user DN + filter path + filterclass + resolution. It is not unique to sessions. The entries in the Authorization cache are determined by (number of users) * (number of policies for which user could be authorized). Entries live for the length of time specified by the Cache EntryLifetime setting. User Authorizations that are cached may not match the entries in the Policy Store for up to the length of time that the Authorization cache is alive. In addition, a change in the user directory which authorization is keyed off of will not be picked up for this length of time.
Similarly, on the Web Agent side it has :
User Session Cache:
The User Session cache caches Authentications and Authorizations. Authentication is based upon session ID and Realm OID and is dependent upon the number of Realms to which a user has access (e.g. 10 users accessing 100 Realms will fill a cacheof size 1000). Authorization is based upon session ID and resource (Full URI, Method, and Agent name). Response information is cached by each process and stored with a timestamp denoting its validity. The maximum session time is also stored for cleanup of entries. Logout does notflush the cache.
Following documentation explains different cache that SiteMinder has :
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={3215EFBF-F478-43CC-8AC5-303E3B7132C0}
Hope this helps.
Cheers,
Ujwol Shrestha