Thank you for clarifying Mohit.
Given the results you have seen in this case, we'd have to try something that Alex proposed earlier:
"In a true AA environment you don't want users to access the APP servers by their names directly, so you will want to have a load balancer/redirector to route the traffic to any App server. It may be possible to configure the single sign at the load balancer level, depending on what you are using, so you may not need to use Waffle on the specific Tomcat. The configuration will depend on what load balancer you are using and if it offers that option."