In PicketLink application configured from deployment is possible to set more security domains. However in PicketLink subsystem only one security domain can be set for application. It is incosistance between picketlink deployment configuration and picketlink subsystem configuration. Application configured from PicketLink subsystem should also be able to use more security domains.
When configuring IdPs and SPs you can set a single security-domain. Is not possible to configure more than one for a deployment. Security domains are used to configure how users are authenticated. What you can do is provide multiple login modules within a security domain if you need to stack different authentication methods.