The ClusteredSingleSignOn valve maintains a set of session id's associated with each SSO. It clears id's from the set when it receives a session destroyed event. The sso is invalidated when all sessions have been destroyed or when any session is destroyed prior to its timeout period (implying deliberate invalidation by the app).

The problem is that Tomcat expires any active sessions as part of its webapp shutdown process. So, when an app is shut down, its sessions are destroyed and thus possibly sso's associated with those sessions. If a user fails over to another cluster node, the sso will no longer be valid and the user will have to reauthenticate.

A further complication is that the sso valve treats early expiration of any session as a deliberate logout, and thus invalidates the sso. A webapp shutdown is very likely to result in premature session expiration, and will thus kill an sso even if other apps associated with sso are still running on the server.