When policy evaluation returns advice to agents, agents 5.0.0 redirects the user back to the OIDC authorize endpoint so that the session can be upgraded appropriately, with regards to the passed advice; the advice is passed as url encoded XML as an ACR value.
When the OIDC code validates resource owner session, it checks whether the session needs upgrade, partly by introspecting the presence of the ACR value (https://stash.forgerock.org/projects/OPENAM/repos/openam/browse/openam-oauth2/src/main/java/org/forgerock/oauth2/core/ResourceOwnerSessionValidator.java#276). If the ACR value contains a COMPOSITE value, it always returns true that the session needs upgrading (https://stash.forgerock.org/projects/OPENAM/repos/openam/browse/openam-core/src/main/java/org/forgerock/openam/authentication/SessionUpgradeVerifier.java?at=14.0.0#50).
The result of this sends the user to the login pages. However, given the ACR values are required to be maintained in the gotoUrl (in order that they be included in the created ID token JWT for validation by the client), after the user enters their credentials and sent back to the authorize endpoint, the validation yet again sees the ACR advice value and proceeds to send the user back to the login screen. And now it's in a redirect loop.