Correct - my scenario is about a SP deployed in a single server and accessed in two different ways (directly on the server or via a reverse proxy).
As for how we are managing this today...
Unfortunately we cannot use PicketLink for SSO because of this issue. All of our JBoss apps still use FORM based authentication.