I can’t stress enough how important it is to know the sites/applications that you are trying to protect with OAM before you get started with an implementation. I know that this seems like an obvious statement but it’s really common to start implementing before you have discovered all of the information about the site/application.
You should have documented the hostname, urls, ports, authentication requirements (u/p, smart card, securid, etc), the authorization rules (aka entitlements or who is allowed to access each resource and under what conditions.). I have seen several times an integrator run ahead with the installation only to find out mid-way that they haven’t downloaded the right webgate or that they didn’t know that a particular application had multiple authentication requirements.
Spend the time at the start of the project to identify all of the application requirements, make sure that you have documented the requirements and then have them vetted by the application owner … before you start implementing.