Hi Matthew,
Are there any network devices in the environment that may cause this?
Also please see if this helps:
The Authorization process validates the session data from
the SessionSpec, which contains the Client IP. The Policy Server always compare the Client IP from the
SessionSpec with the one given by the Attribute 208.
Web agent settings to use as deemed appropriate:
- TransientIPCheck
- PersistentIPCheck
- ProxyDefinition
- CustomIPHeader
You can refer to these parameters which help in checking the IP Address and failing they would give a InvalidSessionIP errors.
Below is the link to documentation :
https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/web-agent-configuration/list-of-agent-configuration-parameters
https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/web-agent-configuration/user-protection-and-tracking/verify-ip-addresses#VerifyIPAddresses-CompareIPAddressestoPreventSecurityBreaches
You can also refer to the Tec Doc below:
http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1694636.aspx