This one is personal bug bear of mine.
There is approach of forbidding "special" html characters, (ie use of BADXXXChars settings) whereas often they should often be allowed, but made sure they are encoded correctly. This come up with passwords and not too infrequently with user names (for example : mark.o'donohue ). The "&" is one such special character.
To make the agent encode them correctly you need the setting : FCCHtmlEncoding = yes
In my opinion it should default to = "yes" but broke a number of regression test cases so it was left with default of "no" some years ago.
The login.fcc page will then correctly encode special html characters : & < > " ' rather than leave them as raw values (the other option is to forbid them via badxxxchars setting). and then you can use them in passwords and usernames.
List of Agent Configuration Parameters - CA Single Sign-On - 12.52 SP2 - CA Technologies Documentation
Cheers - Mark