We are using CA API Gateway OTK 4.3 as OAuth provider, that means when external user tries to log into company ABC app(3rd party/RP), user will be redirected to our OTK for credential validation and generate tokens. However when user enters uid/pwd which will be validated by CA SiteMinder that sets SMSESSION cookie in the browser.
Now user clicks log off on third party application and RP calls OAuth token revoke endpoint to invalidate token, however we still see SMSESSION cooke exist in the user browser, because of this user is able to login without entering uid/pwd after log out.
Any thoughts please ...how to remove SMSESSION cookie from user browser when Relying Party calls OAuth token revoke endpoint?
If you are not using a session store, then I think best is to overwrite the SMSESSION cookie with LoggedOff which can be easily done in API Gateway. This will clear the valid session from the browser. However, if the user still has a copied SMSESSION, then he/she can utilize it to login again.