First you should understand, why the session is not shared by default on sub-domains. As you know Java session is maintained based on a cookie called "JSESSIONID". This cookie will be sent to the browser by the server with the domain name that has been requested by browser. i.e.; let's consider I've a domain called "xyz.com" and I'm accessing xyz.com homepage, Java container will send a JSESSIONID cookie with the domain "xyz.com" to the browser. And it is browser's responsibility to send JSESSIONID cookie value back to the server for the subsequent requests made on xyz.com.
So, cookies are clearly based on the domain name. If I've a sub-domain on xyz.com i.e.; santhosh.xyz.com, by default I can't share the JSESSIONID that has been set on xyz.com over the sub-domain. Since we can't share the JSESSIONID, you can't share java session. i.e.; if user logs on xyz.com can't be retained on santhosh.xyz.com.
In order to share the session across sub-domains, you've to overwrite the existing JSESSIONID cookie to be supported for all the sub-domains. Very simple, all you've to do is - create a new cookie with the same name JSESSIONID and assign the value as current session id and the domain name should be ".xyz.com".
Implement the below code snippet wherever you've shared the session values i.e.; you can do this in a login action as soon as user logs in successfully on one domain.
//specifying name and value of the cookie
Cookie cookie = new Cookie("JSESSIONID", request.getSession(false).getId());
String domainName = request.getServerName(); //Gives www.xyz.com in our example
String domainNamePrefix = domainName.substring(domainName.indexOf("."), domainName.length()); //Returns .xyz.com
//Specifies the domain within which this cookie should be presented.
cookie.setDomain(domainNamePrefix);
response.addCookie(cookie);
You can even create a filter and overwrite the JSESSIONID value within the filter code.