I have been handed a dev stack that includes CA SiteMinder. The response headers are stripped of the JSESSIONID cookie. The applicaiton server is generating them but somewhere in the stack my response headers are being stripped. My hunch is that it's SiteMinder at work. Can anyone confirm this behavior?
If this is default behavior how are session states persisted without cookies? Passing the JSESSIONID as part of the URL works however it is non-optimal.