Do you see the same behavior with the default configuration (not using your custom SSO config)? Which as are you using?
Its a proprietary SSO system that passes the user and role information in through an encrypted header. The valve decrypts the header and creates the appropriate principal objects. A login module then passes those objects back to JBoss (login module is an implementation of UsernamePasswordLoginModule). I have verified the following use cases:
1. Restarting the SSO system, but not JBoss does NOT effect the behavior
2. Restarting JBoss, but not the SSO system causes the session to reflect the correct roles
I've also verified that getRoleSets() in the login module is returning the correct set of roles. What I don't know is if the issue is in JBoss or JBPM. I don't think you could reproduce this using the standard "other" security domain because don't you need to restart JBoss for changes to the text files containing the user's groups to take effect? That would clear out the "cache" if it does exist.
I "broke" my test system for now but once I have it working again I'll post the logs for additional context.