We’re chasing down a strange problem here that we’re calling ‘double logins’ – In our QA env. the user is presented with the login page, and after entering the correct information, they are reprompted with the initial screen, no error messages. The second attempt always works. This is not an issue on our production machines. This is reflected in the original GET being returned a 200, as opposed to the working attempt resulting in a 302. Production returns the 302 without reprompting.

We're deployed on JBoss with Apache httpd doing the load balancing.

The only thing we see in the liferay log file is:
WARN Reject process action for https://xxx.com/web/xxx-portal/login on XXXPortlet_WAR_XXXportal001SNAPSHOT

Not sure if this is a red herring or not. I tried adding the following property to my portal-ext.properties file:
portlet.add.default.resource.check.whitelist=3,56_INSTANCE_0000,58,82,86,103,113,145,164,166,170,XXXPortlet_WAR_XXXportal001SNAPSHOT

The double login still persisted.

Finally, if we shut down one of the two app servers in the cluster the issue goes away. Also his issue does not exists in our production env cluster either.