I am on 11.2.1 HF5. An upgrade to 11.3 is planned soon.
Our DNS is good, though it is different agencies, DNS is central and under our control. I have confirmed this through packet captures and remember *only* the SSO on Outlook web access is broken. Active-sync continued to run flawlessly.
It looks like when you add the second iApp that it garbles the uri of the first iApp SSO. In fact, if you happen to know the correct uri and paste it in once you log in, webmail come right up. Its really specific. I think you were on to something with your first posts but I'm am not knowledgeable enough to fix it once the damage has been done. (other than deleting and recreating)