A: 

I finally solve this problem by change the application pool user to a local user. the problem is probably caused by the sso is hosted on a 64bit OS, this problem does not exist if I host the sso on a 32bit computer (even I use a domain user for the application pool).

Now I use ApplicationPoolIdentity or NetWork Service, the exception disappeared after I restart IIS.

Thanks all you guys and I am so glad to share my solution with you.

Aaron Wang
ok, finally, I had to say, it is because of the domain user I used for the application pool does not have some required access rights, but I don't know what kind of rights. can anyone we find that also send me an email ([email protected])?
Aaron Wang
A: 

There seems to be some kind of security issue when you have several apps sharing the same domain on Win Server 2008 with IIS 7.5

If you have urls http://ourdomain.com/app1 and http://ourdomain.com/app2 you can sign in on one app with WIF but when you access the other app you get this error. This is because the Cookie is for the domain but if it´s created by app1 then app2 can't access it.

So the solution is to either do as Aaron and use a specific user that has access rights or as we did, separate the apps on two different domains ie http://app1domain.com/ and http://app2domain.com/.

Kristoffer Vidmo
what do you mean "separate the apps on two different domains ie http://app1domain.com/ and http://app2domain.com/"? if I use http://app1.domain.com and http://app2.domain.com, I still have this problem.And what kind of special access rights required if I use a domain user?
Aaron Wang
First we used one website (domain.com) with two virtual directories, app1 and app2. We had to split them into two websites with different domains (app1domain.com and app2domain.com) to get it to work. You probably need two app pools as well.We never tested different access rights or users but since you got it to work I figured it was a valid solution.
Kristoffer Vidmo
sure, I tried to create two different pools for app1 and app2 with a domain user, but I still got the problem, If I use a domain user who is a administrator then it is the same as use ApplicationPoolUser or NetWork Service, from this, i can say that is must the domain user is missing some access rights, but I don't know what rights.
Aaron Wang