Thanks to JBoss team, this problem is resolved with help of JBoss team.
Here is the solution:
Instead of SecurityAssociation class, I used HTTPSession to store the roles. By this we don't need to validate the session every time we do the role check.
So, in GenericHeaderAuthentication.java
// This is how the roles are passed into the login module where they will be set
HttpSession http_session = request.getSession();
and in SSOLoginModule.java, you retrieve the roles using below mentioned code:
HttpServletRequest request =
List<String> sessionRoles = (List<String>) request.getSession().getAttribute("roles");
This resolved the problem.
Message was edited by: Siddu Bulla