I set up j_security_check with form authentication on my orbeon app and it works fine. Orbeon is under URL https://localhost:8444/orbeon/.

The problem is that I have embedded orbeon API in my jsp page which is under URL https://localhost:8444/BackOffice/form.jsp. On this page I display some orbeon form and when I try to go to this jsp page login page pop up instead.

I changed the cookie path to / (instead of /orbeon) in web.xml:

<session-config>
    <session-timeout>60</session-timeout>
    <cookie-config>
        <path>/</path>
    </cookie-config>
</session-config>

but it didn't help. I'm still facing the same problem.

When I look at the HTTP requests I can see that when I'm trying to reach the JSP page, an HTTP request with 2 JSESSIONIDs is issued (one for orbeon, one for backoffice), so everything should works fine but it doesn't.

Does anyone know what I am doing wrong?

By embedding, I assume that you're referring to the Form Runner Java Embedding API. If that is the case, end-users should never be hitting /orbeon directly, assuming is this where Orbeon Forms is deployed. Instead they should go through your app, which includes the form produced by Orbeon Forms.