When one OpenAM server creates and validates a SSOToken where the session resides on another server, the underlying Session object is held in the cache. When the cache ttl (3 mins) expires then the OpenAM server will go back to the session owning server. The cached Session object will then be updated based on the response from the remote server.
The cached Session object will reside in memory until the maximum session time is reached. If the maximum session time is set very long (months) then the number of Session objects on the heap can rise very high