When a ProxySG is responsible for authenticating user traffic that comes from different domains, it is possible to authenticate against all domains involved using IWA and BCAAA under a specific set of conditions.
Those conditions are:
With the above conditions in place, it is possible to have an Authentication rule for each domain in the Web Authentication layer within Policy. The Source for each rule would be the IP rage that is associated with that specific Domain, and the Action would be to authenticate against the IWA realm for that domain, which points to the BCAAA server for the Domain.
The order the rules get added in will not matter if this is done, as the Source condition will have to be met to have the rule apply.