I was able to isolate the main problem.
It's due to another plugin : HTML5 Notifier Plugin which breaks CSRF protection.
There is an active bug about this problem :
You can reproduce with these steps :
- plugin mantis and html5 notifier in jenkins plugin directory
- activate CSRF protection with "Default Crumb Issuer"
- test verify action