A customer recently encountered an issue where OpenIG was not reusing connections when talking to a protected application. The issue was due to the fact that the Apache HTTP client does not reuse connections in the case of client certificates passed to backend systems, regardless of any Keep-Alive headers. This means lots of new connections are opened up.
Customer made a small change to the http-client-apache-async component inside the forgerock-commons project (version 20.1.0) to allow connection re-use, see diff attached. Perhaps this can be made configurable.