Hi Venkata,
Not sure what version of web agent you are using, but if you are using the version which supports the XFrameOptions ACO parameter, then you can set this to DENY. (doesn't need configuration at webserver) to prevent this.
Help Prevent Attacks - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation
Ensure Agent Responses Comply with X-Frame-Options
The X-Frame-Options HTTP header determines whether a browser loads a web page that is embedded or framed in another web page using the <frame> tag. If you use the X-Frame-Options response header in your web applications, ensure that Web Agent responses, such as the login.fcc form response, comply with the X-Frame-Options response header by setting the XFrameOptions ACO parameter. Specifying a value for this parameter sets a Web Agent response with the correct X-Frame-Options header.
XFrameOption
The available values for the XFrameOptions parameter are the same as the values for the X-Frame-Options response header:
Values: DENY, SAMEORIGIN, ALLOW-FROM uri
The X-Frame-Options is described by RFC 7024
Default: None (the header is not set)
Example: XFRAMEOptions = SAMEORIGIN
However, X-Frame-Options has its own known limitation and might not be honored by all browsers.
See more here :
Tech Tip - CA Single Sign-On: Web Agent : X-Frame-Options Introduced
Cheers,
Ujwol Shreshta