The following KBA addresses a change to the cookie processor in Tomcat 8.5 and later which prevents OpenAM Login page from loading and causes failures with ssoadm.
Login page does not load or ssoadm fails in OpenAM 12.x or 13.x running on Apache Tomcat 8.5 or 9
Tomcat now enforces stricter checking for valid cookie domain values per RFC 1034 and RFC 6265. In Tomcat 8.0.x, a leading dot was required for cookie domains, whereas this is no longer permitted in 8.5 and later.
Many of our customers and support engineers have faced this issue. The feedback we've received is that, this is important KBA and it would be very beneficial if the Release Notes would also point to it.
The article contains Related Issue Tracker IDs:
OPENAM-8668 (Fresh install of OpenAM doesn't load the login page on some Tomcat versions) OPENAM-1983 (Configuration fail with second level FQDN like "example.com")