APM: same VS for two applications, but apm treats them as different sessions

Hi all,

I am currently trying to solve following problem: I have a single VS which serves two different applications (lets name tham app1 and app2). App1 is balanced to pool1 and app2 is balanced to pool2. Which request belongs to which pool is determined by evaluating the host-header. Both apps are requested from a client by using different fqdns: app1 = app1.example.com, app2 = app2.example.com. Both FQDNs point to the same VS (using DNS). Users only browse to app1 first, they are authenticated by apm here and then can use the application. Within the gui of app1 there is a link to app2 which is using an iframe to show app2 within app1 gui.

This works flawless as long as apm is not used. As soon as apm is involved I can no longer use app2. Firefox is giving users an error message "sec_error_bad_der" and IE is only showing that the page cannot be displayed. I first suspected something with TLS and certificates at fault, but I could confirm they are working. App1 and app2 are using the same san-cert (...it is the same VS). So I dug a little further and soon discovered that apm is treating the request for app2 as a new session. That breaks the application somehow. Apm is trying to show the logon page, but the browsers do not seem to get that right.

I know tried to get apm to recognize the authentication which we already passed on calling app1 the first time. Using Domain Cookie option within access profile makes things worse, now I get a logon screen on every refresh or link. I have seen with firebug that the domain cookie from apm is there, but I also see a MRHsession cookie for app2 everytime.

Did someone have a solution for this? Remember it is the same VS for app1 and app2, so it also the same access profile. An irule is checking for the host-header and selects between app1-pool and app2-pool. The client sents requests to two diffrent fqdn (but from the same domain) which point to the same VS.

Thank you very much.