Additional info:
SSO Agent API has a number of calls/function that can be implemented
APIM implemented only a few
Protected assertion call isProtected()
Authentication assertions calls login()
Authorized assertions calls authorized()
No assertion that calls logout()
Logout sets the client SMSESSION cookie = LOGGEDOFF, but it also does a call back to the policy server for that session if session store is in play it will remove that sessionid from the store