When using a proxy it is possible that the x-forwarded-for will contain the port and more importantly change the port number per connection. This breaks SSO as the newly created port number is different from a sperate connection, thus changing the token.

You will have entries in log similar to the following which specify the port and not just the IP to be used.

com.atlassian.crowd.model.authentication.ValidationFactor@6a8768[name=remote_address,value=10.80.47.22]com.atlassian.crowd.model.authentication.ValidationFactor@1dfe824[*name=X-Forwarded-For,value=10.19.73.9:53672*]