Access to an SSOToken that are not supposed to reset the idle time do currently reset it. Most internal accesses of an SSOToken will also reset the idle time, including just trying to read the current idle time. This is somewhat obscured because the code that updates the idle time only does so every 60 seconds (by default). This also seems like a bug to me.
If you repeat the second command more than a minute later you will see that the last idle time has updated even if no other activity has taken place.
SSOProviderImpl.createSSOToken(SessionID, boolean, boolean) unconditionally calls `validate()` on the session service without passing in the boolean `resetIdleTime` flag. CtsOperations.validate() then always calls CtsSession.setLatestAccessTime() to update the last access (idle) time.