It was that hawtio servlet uses a single HttpClient instance to proxy requests, with a persistent cookie store, i.e. cookies are stored locally and are not passed between the client and the end URL, which means all clients using that proxy are sharing the same cookies.
Name: Adam Willard (Blue Canopy), Dennis Reed (Red Hat)
This issue has been addressed in the following products:
Red Hat JBoss Fuse
Via RHSA-2017:1832 https://access.redhat.com/errata/RHSA-2017:1832