Session is needed when user logs in. Our SSO server requires cookies so there is no reason to support "no cookie" mechanism.

In web.xml add

<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>

More info:
http://ocpsoft.org/support/topic/session-id-is-appended-as-url-path-parameter-in-very-first-request/
http://stackoverflow.com/questions/9702789/jboss-7-0-1-running-without-jsessionid-in-the-url-is-not-working