The Web Proxy Agent 2.2-01 in Cross Domain Single Sign-on mode does not work with Access Manager 7.1 Patch . The agentRootURL requirement was added as a security measure to ensure that CDC is handing off ssotoken cookie to trusted agents running at known URLs.
Workaround
Create a new agent profile in the Access Manager server using the administration console.
Set the Agent Key agentRootURL=http://<agenthost>:<agentport>/using the console.
Get the encrypted password for the new agent profile using cryp_utilon the Agent
Use the new agent username and corresponding encrypted password in the AMAgent.properties file.