CA End Point 12.8 installation introduced a new kbl limitation , after upgrade users sessions are duplicated when user logs in.
When KBL is enabled it intercepts login session and additional process created between shell tty and connection.
This process is cmdlog and this process creates additional tty , it will show user logged in twice.
To avoid this , kbl_audit configuration has to be set as no which no longer tracks keyboard logging.
This is a known issue which is fixed in R12.8 SP1 Endpoint release.
Thanks Mohammed !