mwegrzyn
Before I suggest this, I am totally against sending passwords in response. This defeats all security definitions / frameworks. We should not be doing this.
What passwords are we talking here? User Passwords?
If we are talking about User Passwords, then the ENCRYPTION ALGORITHM is controlled by User Store (i.e. LDAP or ODBC Product being used).
CA SSO does not handle User Password ENCRYPTION / DECRYPTION OOB.
Have you checked if the Password are stored by User Store as ONE WAY HASHING ALGORITHM or TWO WAY HASHING ALGORITHM - if it is ONE WAY HASH ALGO, there is no way to retrieve the clear text password.
Hence the first step for such a requirement is to understand the way User Password is stored by the User Store. If the User Store allows for retrieving password back as Clear Text (i.e. provided the User Store support TWO WAY HASHING ALGORITHM); then CA SSO could read it like a normal user attribute and pass it back as a clear text (not good not good) header response.
Regards
Hubert