When a session is destroyed, the SingleSignOn valve receives a notification. It checks the destroyed session to see whether its maxInactiveInterval has been surpassed. If so, it assumes the session was destroyed due to timeout, and other sessions associated with the sso are not invalidated. If the maxInactiveInterval was not exceeded, it assumes the session was destroyed due to a deliberate call to session.invalidate(). In this case, the other sessions associated with the sso are also invalidated.
There is a problem this approach, namely that if an app is undeployed, all its sessions are destroyed, probably before their maxInactiveInterval has passed. The sso valve will interpret this as a conscious invalidation and will terminate all associated sessions. So, undeploying a webapp will have the effect of terminating all sso sessions associated with the app. See http://jira.jboss.com/jira/browse/JBAS-2429.
Thanks Brian !