I created a discussion about the issue some time ago but got not answer.
The problem is that when a webapp is not marked as 'distributable' the undertow InMemorySessionManager is used.
As mentioned in the discussion the 'getSession' of this manager does not like to be called with a null parameter, which is what willdfy does.
This happens when single-sign-on is enable and multiple sessions are associated to the same sso session and 'invalidate' is called on one of the session.
The workaround is to marked all our webapps as distributable but this will have a performance impact.