As I stepped through the source for FlexSessionAwareSessionAuthenticationStrategy which was wrapping SessionFixationProtectionStrategy as its delegate ... I realized that:
1) a new session is created by the delegate by invaldiating the old one and using request.getSession(true) to create a new one
2) but afterwards when we jump back to FlexSessionAwareSessionAuthenticationStrategy, the value of currentSession.getAttribute("__flexSession") is null
This means that the reason for the Invalid FlexSession could be due to its absence!
To validate this I added a fake attribute pair ("__flexSession","123") to currentSession during runtime (after coming back from the delegate's onAuthentication call) ... and this led to the provider creating a flexsession and then everything worked!
Can you make this fix to the source code?
Or perhaps let me know how to override/extend/inject something in place of FlexSessionAwareSessionAuthenticationStrategy so that I may write my own workaround?