When client enables cross site scripting check, will it stop smsession cookie being passed in the url?
No.
Siteminder smsession is Base64-encoded string. Its standard index table can be found over internet sites, 64-character alphabet consisting of upper- and lower-case Roman letters (A–Z, a–z), the numerals (0–9), and the "+" and "/" symbols. The "=" symbol is also used as a special suffix code. Generally you will not see any of cross scripting check in client configuration matching with above character mentioned.