WebSphere® Application Server versions 6.0.2 and 6.1 do not distinguish between LTPA v1 and LTPA v2 tokens in Web Services. Only one BinarySecurityToken ValueType is supported for LTPA tokens, and the QName of the value type is:
http://www.ibm.com/websphere/appserver/tokentype/5.0.2#LTPA
When the Tivoli® Federated Identity Manager STS issues an LTPA v2 token, the token is created with the following QName. This QName is correct, but it is not supported by WebSphere Application Server versions 6.0.2 and 6.1:
http://www.ibm.com/websphere/appserver/tokentype#LTPAv2
This APAR provides custom Tivoli Federated Identity Manager runtime properties that force compatible QName generation if needed. To enable compatibility mode, set either or both of the following custom runtime properties:
ltpa.enable.compat.mode.[chainid_uuid]=true ltpa.enable.compat.mode=true
where chainid_uuid is the value of the Chain UUID. For example:
ltpa.enable.compat.mode.[uuideb42e428-011b-1ebc-a0cb-9e6c4b35c1c7]=true
To determine the value of Chain UUID, in the administration console select Trust Service Chains-> Select Action, then select Show Chain ID in column in table. This action selection causes a new column to appear in the table that displays the unique Chain ID.