Interesting. I remember that there was an SSO issue with the switch from from Passenger to Puma, but this has been fixed.
I am looking through old threads for clues and saw this and wondering if it is worth a look: "SSO Failed" error while integrating with Keycloak - #8 by autorune