I investigated my problem with debugger. It is reusing on the same login-module (standard) in 2 web contexts (portal-server.war and myportal.war). It appeared that they are using the same instance of PortalAuthorizationManagerFactory and this object has some state injected by 1st context initialization (whatever you access first). So after that 2nd context doesn't go though all phases of role list initialization and therefore fails to authenticate with error 401.
Any ideas? Shall I submit it as a bug or it is me doing that wrong?