Hi,

I am working on several JEE web apps that are deployed on a Wildfly 9.0.2 application server.  We have SSO enabled and working, but are having an issue where the SSO cookie is not always returned.  Specifically, if we restart the Wildfly instance, two of the several applications deployed on the server stop returning the JSESSIONIDSSO cookie in their responses.  If we disable and then re-enable those apps then they work perfectly until the next time Wildfly is restarted.  

The issue described occurs in both UAT and Production environments.  Both environments are set up in clustered mode, with the only real difference being that UAT has more applications deployed on it.  The Wildfly instances also sit behind an Apache HTTPd reverse proxy using mod_proxy.  If the servers are accessed directly - bypassing the Apache server - the problem does not occur.  After much poking around I can only assume that the issue is triggered by the different headers present on the proxied requests.  That's a guess though and I would really appreciate any input from people who know Undertow much better.

All of our applications are configured the same way with regards to security and the technology stack used.  Authentication is provided by the server via a security domain that delegates to a security realm, and is backed by Active Directory.  I have attached the relevant configuration files and examples of the requests and responses.  In terms of versions, I have reproduced the issue in Wildfly 8.0.2, 9.0.1, 9.0.2, and 10.0.1 (not sure what Undertow versions they correspond to).  

The Wildfly forum had no answers and directed me here, so I hope someone here can help!

(PS I've changed the actual IP addresses, server names, etc in the attached files so I don't expose the real systems - I know the IPs aren't valid, but they are on the real system!)

Thanks,
Matt