SharePoint access works with RSA SecurID logon if initiated on the local Windows 2012 Server that hosts the SharePoint site, but not from anywhere else. Remote authentication to SharePoint through SecurID causes the authentication logon page to loop; in other words, as soon as the authentication is successful, control is passed from RSA to SharePoint, at which point SharePoint rejects the authentication with an access denied message or the message that you do not have access to this page. SharePoint then redirects the user back to RSA, which is the authentication page loop that we see.
RSA aceclient.log says AUTH_DONE, then builds the cookie that allows integration into SharePoint by UserID. But the redirect to SharePoint fails, originally we thought this possible because the cookie has bad or incorrect information (possibly time), or possibly because the IIS configuration has an Application Pool Identity Account that was a local account and not the Network Service Account.
The cookie passed to SharePoint contains the IP address, which only matches the IIS server host when a local browser is used
To resolve this issue we need to enable the option Ignore Browser IP Address for Cookie Validation on the RSA authentication agent setup page for SharePoint site in IIS.