diff --git a/mas-foundation/src/main/java/com/ca/mas/core/context/MssoContext.java b/mas-foundation/src/main/java/com/ca/mas/core/context/MssoContext.java
index 41b64208e..141d9545a 100755
--- a/mas-foundation/src/main/java/com/ca/mas/core/context/MssoContext.java
+++ b/mas-foundation/src/main/java/com/ca/mas/core/context/MssoContext.java
@@ -325,7 +325,14 @@ public void onAccessTokenAvailable(String accessToken, String refreshToken, long
      * Clear the access token, forcing the next request to obtain a new one.
      */
     public void clearAccessToken() {
-        privateTokens.clear();
+        privateTokens.clearAccessToken();
+    }
+
+    /**
+     * Clears the access token and refresh token, leaving the ID token, if present.
+     */
+    public void clearAccessAndRefreshTokens() { 
+        privateTokens.clear(); 
     }
 
     /**
diff --git a/mas-foundation/src/main/java/com/ca/mas/core/policy/AccessTokenAssertion.java b/mas-foundation/src/main/java/com/ca/mas/core/policy/AccessTokenAssertion.java
index f3ac84637..b56b5d952 100755
--- a/mas-foundation/src/main/java/com/ca/mas/core/policy/AccessTokenAssertion.java
+++ b/mas-foundation/src/main/java/com/ca/mas/core/policy/AccessTokenAssertion.java
@@ -122,14 +122,15 @@ private String findAccessToken(MssoContext mssoContext, MAGInternalRequest reque
             } else {
                 accessToken = null;
             }
+        }
 
-            String refreshToken = mssoContext.getRefreshToken();
-            if (refreshToken != null) {
-                accessToken = obtainAccessTokenUsingRefreshToken(mssoContext, refreshToken);
-            }
+        String refreshToken = mssoContext.getRefreshToken();
+        if (refreshToken != null) {
+            accessToken = obtainAccessTokenUsingRefreshToken(mssoContext, refreshToken);
+        }
 
-            if (accessToken != null)
-                return accessToken;
+        if (accessToken != null) {
+            return accessToken;
         }
 
         // Obtain an access token from the token server.
@@ -258,7 +259,7 @@ private String obtainAccessTokenUsingRefreshToken(MssoContext mssoContext, Strin
 
             if(tse.getResponse()!= null){
                 //The access token and refresh token are no longer valid.
-                mssoContext.clearAccessToken(); 
+                mssoContext.clearAccessAndRefreshTokens();
             }
             accessToken = null;
             if (DEBUG) Log.w(TAG,
diff --git a/mas-foundation/src/main/java/com/ca/mas/core/policy/SecureLockAssertion.java b/mas-foundation/src/main/java/com/ca/mas/core/policy/SecureLockAssertion.java
index 247c5b0f8..16bb1fc02 100644
--- a/mas-foundation/src/main/java/com/ca/mas/core/policy/SecureLockAssertion.java
+++ b/mas-foundation/src/main/java/com/ca/mas/core/policy/SecureLockAssertion.java
@@ -44,7 +44,7 @@ public void processRequest(MssoContext mssoContext, RequestInfo request) {
             if (revokeRequest != null) {
                 MAS.invoke(OAuthClientUtil.getRevokeRequest(), null);
             }
-            mssoContext.clearAccessToken();
+            mssoContext.clearAccessAndRefreshTokens();
             throw new SecureLockException("The session is currently locked.");
         }
     }
diff --git a/mas-foundation/src/main/java/com/ca/mas/core/policy/exceptions/InvalidClientCredentialException.java b/mas-foundation/src/main/java/com/ca/mas/core/policy/exceptions/InvalidClientCredentialException.java
index 904036cef..4a749946a 100644
--- a/mas-foundation/src/main/java/com/ca/mas/core/policy/exceptions/InvalidClientCredentialException.java
+++ b/mas-foundation/src/main/java/com/ca/mas/core/policy/exceptions/InvalidClientCredentialException.java
@@ -27,7 +27,7 @@ public InvalidClientCredentialException(Throwable throwable) {
 
     @Override
     public void recover(MssoContext context) {
-        context.clearAccessToken();
+        context.clearAccessAndRefreshTokens();
         context.clearClientCredentials();
     }
 }
diff --git a/mas-foundation/src/main/java/com/ca/mas/core/store/OAuthTokenContainer.java b/mas-foundation/src/main/java/com/ca/mas/core/store/OAuthTokenContainer.java
index 5e7630f9b..1710934bd 100755
--- a/mas-foundation/src/main/java/com/ca/mas/core/store/OAuthTokenContainer.java
+++ b/mas-foundation/src/main/java/com/ca/mas/core/store/OAuthTokenContainer.java
@@ -25,6 +25,8 @@ public interface OAuthTokenContainer {
      */
     long getExpiry();
 
+    void clearAccessToken();
+
     void clear();
 
     void clearAll();
diff --git a/mas-foundation/src/main/java/com/ca/mas/core/store/PrivateTokenStorage.java b/mas-foundation/src/main/java/com/ca/mas/core/store/PrivateTokenStorage.java
index 4b5d5360a..45d4e39d2 100755
--- a/mas-foundation/src/main/java/com/ca/mas/core/store/PrivateTokenStorage.java
+++ b/mas-foundation/src/main/java/com/ca/mas/core/store/PrivateTokenStorage.java
@@ -96,6 +96,12 @@ public long getExpiry() {
         }
     }
 
+    @Override
+    public void clearAccessToken() {
+        storage.remove(getKey(KEY.PREF_ACCESS_TOKEN.name()));
+        storage.remove(getKey(KEY.PREF_EXPIRY_UNIXTIME.name()));
+    }
+
     @Override
     public void clear() {
         for (KEY k : KEY.values()) {