We usually secure ObSSOCookie to pass this cookie in SSL environment and to avoid non-SSL applications to access. This is a very good feature to improve security in OAM. However if you also want to secure ObFormLoginCookie although you don’t find any sensitive information in this cookie, you can do so. Securing ObFormLoginCookie will allow end users to access applications in both non-SSL and SSL unlike securing ObSSOCookie. Securing ObFormLoginCookie is explained below and this is in 10g OAM version. Perhaps this would work in 11g too, I haven’t tried it albeit.
Set-Cookie: ObFormLoginCookie=wh%3DRESOURCE-WEBGATE-HOST%20wu%3D%2Findex.html%20wo%3D1%20rh%3Dhttps%3A%2F%2FRESOURCE-WEBGATE-HOST%3A8080%20ru%3D%2Findex.html; Secure; path=/dummy.cgi
I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com