It happens very sporadically.
I had to login/logout about 20 times to reproduce it once. Another time, it happened twice in a row. I think you may be correct in your assumptions though. How is that r value generated?
I am leaving that at the default. Should it matter? I'm destroying the sso token using the rest API when I log out.
After logging out, the user is taken to our login screen. Where the situation in my original post happens.