I am using framework version 1.1.20. I have noticed that validateCSRFToken is not working with a POST request. In investigating further I discovered that the token value store in $_POST is UrlEncoded, and thus does not get unmasked by unmaskToken.
To prove this, I changed line 1370 in CHttpRequest.php from
$maskedUserToken=$this->getPost($this->csrfTokenName);
to
$makedUserToken= urldecode($this->getPost($this->csrfTokenName));
This solved the problem, but I am wondering if there is a way to resolve this without changing the framework.