For the initial authentication the 'protocol' part of the digest-uri is determined by:

final String protocol = optionMap.get(RemotingOptions.SASL_PROTOCOL, RemotingOptions.DEFAULT_SASL_PROTOCOL);

This means that for both the server and the client the protocol turns out to be 'remote' (most of the time).

When using authentication switching however the 'protocol' part of the URI is used, which means that the authentication is sensitive to the actual URI provided to the client. In particular on the server side org.jboss.as.remoting.RemotingHttpUpgradeService hard codes the 'http-remoting' protocol name so a client that has created a connection with 'remote+http' will not be able to use user switching.