Hello,
Solution 1: You can define a multidomain sso access profile and attach it to every VS (but mix between web access and webtop is sometimes bad)
Solution 2: you setup each VS as SAML SP and you add a SAML idp to authenticate users. Once a user is authenticated on the IDP,he can go to every app that rely on the same IDP without further authentication
Solution 3: in v12.0.0, you have now a scope option in each access profile. I think you can extend the scope and allow access to other apps.
Solution 4: you use irule to make it works your way. I already developed irules to manipulate apm sessions and it works fine in many cases
But to solve this issue, you first need to stop having an apm cookie that spread the whole domain: domain.com
You can have only one MRHSession by hostname.