In SingleSignOnAuthenticationMechanism.java we have this method:

private void clearSsoCookie(HttpServerExchange exchange)

{ exchange.getResponseCookies().put(cookieName, new CookieImpl(cookieName).setMaxAge(0).setHttpOnly(httpOnly).setSecure(secure).setDomain(domain)); }

As you can see the path is not set on the Cookie.

As a result the cookie will still be present and send again on subsequent requests.