Check what happens to your cookies. In particular the MYSAPSSO2 cookie and the domain/path associated with it.
Flow: when you log off from the portal it automatically goes to subsystems and closes down existing sessions. If it can't SSO to them, then you will be prompted for authentication.
The most common method to authenticate to a sub-system (either your java or fiori) is to use the MYSAPSSO2 cookie generated by the portal. Important to note the domain on there as it should match the domain of sub-systems (always try to use FQDN in your config). You may have other authentication types upsetting the flow (e.g. spnego to the fiori app).
What I suspect is that you connect to the portal and get a MYSAPSSO2. Then you connect to a sub-system which is generating/deleting/changing the cookie. Then when you log off it's connecting to sub-system2 with an untrusted/unavailable MYSAPSSO2 (probably from sub-system1) and prompting for the authentication.
You may have to delve in to the authentication stack for each system to figure out exactly what's happening.
