Whenever you need to debug a SSO login on CQ5, because all of a sudden a basic authentication appears, make sure, that you don’t have HTTP basic authentication headers set next to your SSO cookie.
Because the Sling Authentication Service has set “Basic authentication (preemptive)” as default. Which means, whenever no other service feels responsible to extract authentication headers from the request (maybe because they are configured not to do this on a certain path), this service will try Basic Authentication. And just by the way: Setting this property to “Enabled” will kill the authentication of incoming replication requests. So it’s best do eliminate the “Authentication” header at a dispatcher level and avoid to go through the dispatcher when doing replication.