Hi,
Do you mind if I move this to the API Gateway community post, rather than the here in the SSO community.
I've got below what I think is your issue, but otherwise this will just confuse the SSO folk, for SSO policy is not the same as API Gateway policy :-) .
I expect you need to create the SSO context,
Manage CA Single Sign-On Configurations - CA API Gateway - 9.3 - CA Technologies Documentation
Which creates the ${siteminder.*} context variable - that is what I think you are missing.
Then that gives you all the following :
CA Single Sign-On Context Variables - CA API Gateway - 9.3 - CA Technologies Documentation
which you can use in the "CheckProtected Resource against SSO"
Cheers - Mark
PS: Sorry I though I'd pressed commit on this earler today, but find when I got back that I had not