Hello there,
We are using CA API Gateway OTK 4.3 as OAuth provider, that means when external user tries to log into company ABC app(3rd party/RP), user will be redirected to our OTK for credential validation and generate tokens. However when user enters uid/pwd which will be validated by CA SiteMinder that sets SMSESSION cookie in the browser.
Now user clicks log off on third party application and RP calls OAuth token revoke endpoint to invalidate token, however we still see SMSESSION cooke exist in the user browser, because of this user is able to login without entering uid/pwd after log out.
Any thoughts please ...how to remove SMSESSION cookie from user browser when Relying Party calls OAuth token revoke endpoint?
Thanks