This is more of a reminder for myself but if you ever get a dreaded Tomcat 500 message from the agent and SSL errors in the siteminder logs than the included openssl s_client command will be your friend.
In our case, the reverse proxy servlet was unable to retrieve the SharePoint pages due to certificate validation errors. Everything on the SiteMinder server looked correct. We assumed our SharePoint certificates were fine as we could reach the ClaimsWS, providing the certificate for client authentication successfully.
Finally after comparing a working environment against this broken one using the openssl s_client tool. We found that the full certificate chain was not being sent to SiteMinder. Turns out one of the intermediate certs was corrupted and showing as self signed instead of pointing back to the root CA cert.
A quick re-export of the intermediate certificate from a working environment and a rebind and we were back in business (after many hours burned on it).
openssl s_client -connect host:port -showcerts