When an unauthenticated user is requesting a page protected by APM, say GET / , then APM sets up a session (sets session cookies etc) and does a 302 redirect to /my.policy, where the interactive authentication occurs. After successful authentication there is another 302 redirect to the requested page or whatever is in the APM Policy flow. Now in this scenario, if the user initially sends a POST request with form data (in the payload), the initial 302 redirect does not preserve it.
Losing POST data is normal behaviour for 302 redirects, 302 also changes the http method to GET. A 307 redirect would preserve method and the POST data. I believe the 302 redirect is built in by design for the interactive authentication.
There is a way to avoid the 302 redirects using clientless-mode header in the request. But this is typically used with a non-browser client like a client application. There the request needs to have clientless-mode: 1 header. I believe the authentication needs to be done by other than interactive means in this case. I have only used 401 to invoke the client to send the credentials in Authorization header to APM in clientless mode. The credentials are stored in session variables for further use towards the server if needed, like in normal interactive authentication.