You must protect EPM System resources so that SSO requests from users are redirected to the security agent (OAM, OSSO, or SiteMinder).
Oracle HTTP Server uses mod_osso to redirect users to the OSSO server. Users are redirected only if the URLs that they request are configured in mod_osso to be protected. See Managing Security in the Oracle HTTP Server Administrator's Guide.
For information on protecting resources for SiteMinder SSO, see SiteMinder documentation.