Problem: we switch from OpenID auth to Crowd, we set up Crowd2 plugin properly, trying to log in on some hosts with proper credentials doesn't lead to user being logged in, and no messages in the log.
Let's start by saying that Authentication REST API and Cookie SSO are two separate, orthogonal things. Also, you usually use only one of them, simply because one is enough. This is commonly known as "Unix way" (though has deeper roots in everyday life). Now you can use them together. But assuming that everyone wants that and silently forcing everyone to use them together is quite different from "can use". So, what do we have with Crowd2? To configure it, one needs to enter REST API credentials, so it's fair to assume that it uses REST API and page https://wiki.jenkins-ci.org/display/JENKINS/Crowd+2+Plugin says: "Is Single-Sign-On (SSO) supported? Yes". So, again, "supported" is quite different from "silently forced with zero diagnostics in case of failure".
So, how this was diagnosed: after looking at plugin source, it was seen that there're lot of logging, but in the levels not enabled by default. After fiddling with Jenkins to somehow enable it, it became clear, that after authentication and initial login by REST API using code, a user gets immediately logged out by CrowdServletFilter - when cookie is not present, for example, if a host is an another domain than Crowd server.
So, what's need by many users (as few other similar bugreports show) is to disable this SSO cookie handling, and staying with predictable REST API, as well as updating docs to warn users about issues when using SSO (especially if it stays on by default).