I am testing a Siteminder Policy Server 12.51 + CA Secure Proxy Server that perform SecurID authentication with the RSA ACE server.
The SecurID authentication (PIN+token code) works well if the user's PIN has already been defined.
However if the PIN is not defined yet or requires a change, the authentication fails.
In this latter case the user should enter only the token digits and be prompted with a New PIN dialog asking to define a new PIN.
The New PIN dialog does not appear and authentication fails.
The RSA server trace log shows that Siteminder submit credentials to RSA, but when RSA invokes the New PIN mode, Siteminder cancels the New PIN Mode. ("new PIN mode cancelled"). Instead, Siteminder resends again a new authentication attempt with the same token code, which produces a "token reuse detected" error and authentication failure.
The New PIN worked with the very same Siteminder server a couple of weeks ago but for some reason is not working anymore.
The New PIN mode still works well if we test it with the local native Windows RSA Agent set up on the Policy Server.
So this is not the RSA server problem or token/user-related issue.
The server clocks are synchronized.
What may be wrong?
I think the key question is what was changed, since New PIN Mode was working before, so I understand something has changed in the environment or configuration. I do not think this is a RSA AM issue. Are you using a custom authentication scheme? Did you tried with an OOTB one?
Maybe you could gather all logs for a reproduction attempt and Fiddler traces and open a case with Support to analyze them, however I would review carefully changes done in configuration and environment recently to the issue appearance first.