To add to the answer that Ujwol added,
Firstly yes the REST api logout call is more related to session store usage, where it will delete the entry from the session store. In the webagent (non REST call mode) the main purpose of the logout call, in addition the the session store use, is to delete the SMSESSION cookie.
But the SMSESSION cookie does have it's own expire idle timeout built into it, the webagent when it receives a request decrypts and decodes the SMSESSION and checks if the idle timeout has expired before processing the request.
So after the logout call, the SMSESSION cookie is only valid for that moderately short idle timeout period and will then expire.
Cheers - Mark
BTW: Even with session store usage, it takes some time for the deleted session to be flushed to all policy servers and webagents, - so there too there is a small period of time (smaller than idle timeout, but still small period time) when it will be accepted (ACO settings can adjust that time, and setting Az cache to 0 will mean agent checks the policy server each time) .