I'm sorry but I don't know enough to really provide details. The only thing I know (because I was told) is when the SingleSignOn class is "turned on" in Tomcat's configuration, the following behavior occurs:
1. User accesses web application A. 2. Web application A requires user to authenticate. 3. User accesses web application B. 4. Web application B trusts credentials entered in #2 (and therefore does not re-authenticate user).
The problem I am facing is that I want the above to be true for a set but not all of web applications deployed in JBoss/Tomcat.
If you want to dig deeper, I suggest going to the Tomcat documentation. The server.xml file that contains the reference to the SingleSignOn class is found in the \deploy\jbossweb-tomcat50.sar folder. The configuration looks like the following and is by default, commented out.