HTTP Sessions invalid in JBoss EAP after domain name update

Issue

• We cutover to EAP 7 servers and the primary URL for this app is https://second.domain.org/app. The decommissioned EAP 6 environment was https://first.domain.org/app. In order to give our users time to learn the new URL, we added DNS entries to resolve both URLs to the new EAP 7 environment. We also added the second.domain.org domain as a SAN on the SSL certificate. The issue was reproduced by accessing https://second.domain.org/app, logging on, and then making a payment to the external URL. The app hard codes the response as https://first.domain.org/app/payments/creditCardPaymentResult.do. The starting URL was the old domain and the end response was first.domain.org. This kicked the user completely out, returned them to the logon page, and the user believed no payment has been processed. But payments were being processed. We fixed this by adding a rewrite rule for first.domain.org to second.domain.org on the firewall. Would this be caused by violating a Java, JBoss, or some other spec? There are no cert errors so the SAN for first.domain.org works without issue.