When the user clicks on the logout button, not only the current session, but also all the active sessions belonging to BPM Sign-on (session0) and the other domains must be invalidated. For example, if all the sessions are active, and the current session (session2) gets a logout request, then session0, session1, and session3 must also be invalidated.
