I think it's because the security manager can no longer validate the user in that cache, and force the user to login again. That's not what you wanted?
You can also try to turn on trace in org.jboss.security catalog. A lot of stuff you could see in logs.
I think you are right.
Does anybody know how to login user again programmatically ?
Thanks for your help.