I've continued digging into my issue and noticed that the default DistributableSessionManager uses the org.wildfly.clustering.web.infinispan.session.InfinispanSessionManager, which I guess comes from the module parameter in the cache-container definition.
Part of my problem is that I am trying to invalidate() the session returned by the SessionManager, but when I do a SessionManager.getSession(sessionId), it returns an DistributableImmutableSession whose invalidate() method intentionally does nothing.
So how can I invalidate a session? Is there no way to invalidate a session by sessionId with the DistributableSessionManager? If so, how? If not, how do I define a SessionManager that would give me access that?