Hi Vipul,
This is the expected behavior of your use case and this is the intention of higher "Protection levels" in Authschemes.
SMSESSION is getting created after authentication and user needs to have right group/role membership along with right protection level in order to get authorized. If an user has SMSESSION, it does not mean that he/she should get access to all the protected resources.
When users authenticate successfully against a scheme, they can access any resource with a protection level equal to or below the current authentication scheme, but not higher. Users still require authorization for a resource to gain access to it.
Is there any reason/requirement behind to keep different protection level's ?
If you don't wan't to challenge user while accessing your second app, you can just keep all the app authentication at same protection level.
Thanks
Ashok