SSO might fail if the portal is accessed through SAP Webdispatcher or proxy
Let's say the webdispatcher is installed in the domain external.net but the sapsystems in internal.net.
If the portal is called in the intranet through hostname.internal.net a MYSAPSSO2 cookie will be issued for the internal.net domain. In this case when the second system is called, the browser will send this cookie and the SSO will work.
If the portal is called through the webdispatcher the MYSAPSSO2 cookie will be issued for the domain external.net. This cookie won't be sent by the browser in the SSO scenario as the domains are different.
By setting the ume.login.mdc.hosts = http://hostname.internal.net:<port> the portal will execute a 'redirect' to himself and by this a second cookie for the internal.net domain will be issued even if the portal was called through the internet.