Let me clarify my problem.
<single-sign-on> will not work in the scenario above in wildfly if the username/password that I used for the first webapp, that is for the first security-domain, is not valid for the second security-domain. But if the credentials are valid on both security-domain (regardless on the actual backend) then I can navigate to the other webapp.
It seems to me that wildfly will 'reauthenticate'.
Is there an option to override this? (like it exists in Jboss EAP 6?)