Best way to handle Oracle OAM session cookies?

I am seeing several alerts on our OAM session cookies with multiple applications and policies. Not sure the best way to adjust the policy for these because the cookie has different values each time it shows up. They all seem to have the GET /obrar.cgi method and then the cookie parameter seems to be different based on the session for the user. It gets flagged on meta characters and other things. Are there any good ways to allow for this and do some kind of sanity check instead of just opening up everything from the URL /obrar.cgi?