You need to take a step back, it may not be an additional security domain you need.
What kind of verification do you need and how does this differ from the things validated using form authentication?
I have a main application which tracks the sessions created when a user logs in to the web application. So one verifications is like whether the user have crossed the maximum concurrent session exceeds, another one like whether the user has applied the license to the application like that..
If this is handled within security domains you could probably add additional login modules to your configuration, the problem here however would be you would then need to disable all caching on that security domain otherwise the user could open an unlimited number of sessions and rely on the successful auth being cached.
Alternatively the concurrency side may be better tracked with either a HTTP Servlet Filter or possibly an Undertow HttpHandler.
I tried HttpHandler, but I am not able to get the session in handle request method.