Just saw this coming in so sorry for the somewhat late reply.
I'm indeed pretty sure it needs to call `invocationContext.proceed()` like you mention. The moment it calls this probably doesn't even matter that much. It can either do it before it cleans up its own cookie or afterwards.
I do wonder about the SecurityManager involvement in the failure here, but it's hard to comment on that since I don't know the "cleanSubject" test exactly does or doesn't.