There are some differences between Elytron and PicketBox security domains that should be highlighted in the Security Architecture guide (perhaps in the "2.6.1.3. SECURITY DOMAINS" section?):

• A deployment should be associated with either a single Elytron security domain or legacy PicketBox security domain(s). A deployment should not be associated with both an Elytron security domain and a legacy security domain - that's invalid configuration.
• For the Elytron case, an exception will occur if a deployment is associated with more than one Elytron security domain.
• For the legacy case, a deployment can be associated with multiple legacy security domains (because a PicketBox security domain is not the same thing as an Elytron security domain).

Here's some additional background information on Elytron vs. PicketBox security domains taken from some discussion in JBEAP-10980:

When working with PicketBox the security domain would encapsulate both access to the underlying identity store and mapping this for authorization decisions, users of PicketBox with different stores were forced into using different security domains for different sources. When migrating to WildFly Elytron these two functions have been separated with access to the stores represented by security realms and mapping for authorization handled by security domains which effectively represent the authorization policy.
A customer requiring independent security domains for deployments in PicketBox does not mean they require independent Elytron domains.