Ok, so the way the SiteMinder SSO Zones are implemented seems really weird.
From what it looks like the only time a zone is set by the API GW is during the "authenticate" call and otherwise it overwrites to SM. But if a user already has a session cookie and you perform a cookie update to maintain the idle timeout values...it overwrites the zone to default SM.
How exactly can I maintain session state of a user session cookie if I can only define a SSO zone on the Authenticate and while passing in a credential like username+pass or certificate...???
Am I missing something really simple/obvious here??
Ok, guess it's a bug possibly fixed in 9.2 CR7 but bug is still present on base 9.3 so gotta wait for CR 1 for that (doesn't look like it's out yet).
You are correct. It is expected to be fixed for CA API Gateway 9.3 with the upcoming CR release.