APM doesn't by default remove application cookies. The issue may be that at the moment the application is sending the cookie to the client that APM is doing something preemptive. I'm guessing the application only sends the JSESSIONID cookie once at the beginning of the session. Are you doing APM Forms-based SSO to the server? You may need to do a client side capture of the JBOSS interaction without APM in the mix to see exactly how the application works and when things happen. So for example, if the application sends the JSESSIONID cookie after the successful form-based logon, APM shouldn't get in the way of that cookie getting all the way to the client. If somehow that cookie is sent before the user posts their credentials, then you might need to code something to preemptively go get it with APM before the logon is posted.