In a multi-domain configuration, you MUST use the user's sAMAccountName as the SSO username source, and the user's real domain as the SSO domain name source. APM Kerberos SSO doesn't support referrals, so users in domain1 work because no referrals are needed there. So for example:
session.sso.token.last.username = expr { "bob" } <--- sAMAccountName
session.logon.last.domain = expr { "DOMAIN1.DOMAIN.COM" }
Are you switching between SSO profiles in the VPE? You don't need to do that if the delegation account and web service are in the same domain.
You also don't need the SSO credential mapping agent in a Kerberos SSO. You just need to populate the above SSO input variables.