I have a couple of EAP instances where an application protected by SPNEGO  and <single-sign-on/> is enabled, and set up httpd as a proxy in front of EAP instances.

When accessing EAP #1 via httpd, SPNEGO authentication happens. And subsequent requests to EAP #1 via httpd do not require authentication (cached-session mechanism works fine).

Then, accessing EAP #2 via httpd, SPNEGO authentication happens as well, then, unlike #1, every subsequent requests to EAP #2 require authentication (it seems cached-session mechanism does not work).

Swapping #1 and #2, Re-authentication happens for every subsequent requests to EAP #1, therefore, it is not caused by something wrong in EAP #2 configuration (The configurations of both nodes are exactly same except for the node names).

I do not see the issue removing <single-sign-on/> from the undertow subsystem in both nodes.
Hence, the issue would be caused by conflict between the single-sign-on feature in undertow and local authentication of a single application.