Thanks everyone for the feedback! This community is amazing.
I believe I understand better why multiple Set-Cookies for the same CA SSO credential is occurring. A brief explanation is give below
This environment has web servers on a PCI External Network that act as a reverse proxy for web servers on our Internal PCI Network. All web servers involved have SiteMinder web agents installed and share the same SiteMinder policy.
Thus every external URL for this application will invoke two SiteMinder web agents before the app gets invoked. Each web agent will update its SMSESSION credential to reflect the last time it was used for idle timeouts. This results in the browser seeing multiple Set-Cookie calls for multiple SMSESSIONs.
The browser will process each SMSESSION separately. However, on subsequent requests, the browser will have only one SMSESSION and thus it sends only one SMSESSION. All is well.
Takeaway: This is expected behavior and is not a security risk it would seem.