There are two ACO Parameters for CSS Checks.
BadCssChars=<Character List>.
CSSChecking=YES/NO.
If we set
#BadCssChars=<Character List>.
CSSChecking is not defined in ACO.
It means CSSChecking is enabled by default. And WebAgent will perform CSSChecking against an inbuilt hardcoded list even though BadCssChars is disabled.
Did we set CssChecking=NO, restart WebAgent and try?
The AgentLog show no CSSChecking value. Which means WebAgent would use "default' i.e. YES.
Reference :
Help Prevent Attacks - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation