You have invalid configuration.
You have set "CookieDomain=.abc.xyz"
So, if even if you access resource using local host http://localhost/resource, web agent is going to set the cookie domain for the SMSESSION cookie to .abc.xyz.
This cookie is NOT submitted by the browser when you then access http://localhost.
You will need to have HOST only cookie for this to work.
So , try commenting CookieDomain and CookieDomainScope params.
You can verify this from fiddler.