In OpenSSO, there are 2 types of Policy Agent to choose. Customers always get confused on which type and on which tier to deploy in their environment.
The following diagrams illustrates clearly. Based on the Selection Criteria, Web Policy Agent will be deployed on the Web tier.
J2EE Policy Agent will be deployed on the Application tier.
PS: If J2EE Policy Agent is deployed on the Application tier, there is no need for Web Policy Agent to be deployed on the Web tier. Simply allow the pass-through on the web server and let the Policy Evaluation be carried out on the Application tier.