Can you attach a screenshot from your browser's web dev tool, which shows the network requests? That will help us understand a bit better the flow of these requests and the response (codes) returned.
Of course. Below is the working sequence of events that takes place in Firefox. I click submit on the login form, we authenticate/authorize on the server then are correctly redirected to “/my_account_setup”.
Firefox request header:
Things seem to go wrong in IE/Edge. Preforming the same steps that produced the events listed above I now see two j_security_check (first showing "pending") requests made with not a redirected 302 response but a landing on “j_security_check”.
IE request header:
It looks like we found our culprit. The form on the JSP had a JS submit without a "return false" which allowed the action to continue which resulted in a double POST (we programatically submitted then allowed the form to submit again). We used a proxy to see the two packets. One contained good credentials and the other was questionable. From there we saw what appeared to be a race condition on the server. There was also some questionable layouts within the JSP (which IE seems to be picky about) which we corrected. After making the two changes our issue cleared up.