Thanks Sankar. I read the bullet you mentioned:
If transactional requests within a single transaction arrive from multiple clients (this could happen if there are intermediary objects or programs in the transaction call-chain), all requests within the same transaction must be associated with the same security context.
I could not completely understand what it means though.