This issue has resurfaced with 7.1.0.DR3. It has been previously reported and fixed in 7.0.x.

See "Steps to Reproduce". Logging out from an application only works every second time, e.g. HttpRequestServlet.logout() has to be called twice in order to have any effect. This doesn't occur without <single-sign-on/> enabled - logout() has the expected effect. The issue is security related, thus I'm adding our security team members as watchers. I suggest blocker priority due to this being related to security, but if you're of different opinion, let's discuss.

I'm trying to create a test in the WildFly integration testsuite (I hit this in the upstream as well, Jira on the way) but I'm currently failing ([1]). The test I have written is currently passing. I don't know why yet, but either the test is bad or there might be something specific about the issue. The reproducer from JBEAP-1282 still works (in other words, it is failing now that the issue has appeared again).

[1]: https://github.com/LittleJohnII/wildfly/blob/sso-logout/testsuite/integration/clustering/src/test/java/org/jboss/as/test/clustering/cluster/sso/ClusteredSingleSignOnTestCase.java see testLogoutWithClusteredSSO