I'd look closely at CORS headers during a failed session using the browser's "developer mode". CORS and authentication redirects don't get along well, so you'll see errors while fetching the stylesheets. This is more of a problem in Chrome than IE. Not sure about Firefox though. If this turns out to be the problem, here's the policy we used to resolve it:
<Proxy>
request.x_header.Origin.exists=yes action.add_allowed_domains(yes)
define action add_allowed_domains
set(exception.response.x_header.Access-Control-Allow-Origin,"$(request.x_header.Origin)")
set(exception.response.x_header.Access-Control-Allow-Credentials, "true")
set(response.x_header.Access-Control-Allow-Origin, "$(request.x_header.Origin)")
set(response.x_header.Access-Control-Allow-Credentials, "true")
end
<proxy>
request.x_header.origin.exists=yes authenticate(no)