The administrative interface to CA SSO provides a ripe target for malicious actors, both internal and external. You would think administrators would take appropriate precautions to secure that interface, but I have seen many instances where the Web Access Manager User Interface (WAMUI, aka AdminUI) is published on a non-secure port. That means administrator credentials are routinely on the wire in clear text. To add further risk, the WAMUI is not protected by an agent, so many non-administrators have the ability to probe and attack the WAMUI in the "bad guys" unending quest to compromise the security of the single sign-on environment in particular and the enterprise at large.
I'm new to blogging and not yet familiar with the mechanics of this tool. I envision this topic being a series of posts rather than one monolithic treatise, so please have patience while I figure out whether I can amend or append to this post or have to create a separate blog topic for each installment of the Saga of WAMUI Security.