If 2 sessions associated with the same SSO invalidate at the same time, the triggered SSO session destroyed listener will attempt to invalidate each other. In the case of distributed web sessions/SSO, this can easily deadlock, as one thread will have the lock on the SSO and be attempting to acquire a lock on the associated session in order to invalidate it. If another thread is concurrently timing out its session, it will be waiting to acquire a lock on the SSO, causing a deadlock.

To fix this, we should perform invalidation of associated sessions after removing the SSO, thus only 1 thread will actually attempt the invalidation of the others, since only one thread will attempt to remove the SSO, the other will not find it.

N.B. This actually affects 1.3.3.Final, but the versions in jira are not up to date.