So here's a thought....No clue if it'd work or not and definitely not sure if it could be done securely.
IIS can natively enforce Authentication Mechanism Assurance as well. So if there was an ASPX or other page protected by IIS + AMA which would pass-through the user security context....Would it be possible to just take that user context, pass it down to the Policy Server, authenticate that user (no actual 'credential'), and do normal SM flow that way?
In that scenario, SiteMinder would just have to be able to securely receive the user context from a specific agent/form/whatever only; i.e., don't just take any context passed to it by anyone.
Any ideas if something like that would even be possible? Seems like that would offload a lot of the heavy lifting off SiteMinder -- much the way SiteMinder already relies on the Web Server to verify certificate key exchanges for X.509 (since that scheme literally accepts any public certificate and 'authenticates' it).