On the internal mailing lists there's often a question that goes something like:
I want to deploy OAM like this:
Is this supported?
The answer is "If you really want to do that then yes. But you probably shouldn't do it that way."
Read on for why.
The first thing to think about is how you are going to deploy OAM "for real". Consider a company like Oracle who uses OAM to protect basically everything. If you go to http://support.oracle.com/ to open or look at a support case, or to http://www.oracle.com/ to read up on the products, or to https://edelivery.oracle.com/ to download software, or nearly any Oracle site that requires you to login you are going to login through OAM. But before you are prompted for your credentials OAM first needs to see if you have an existing session.
Here's my post about how the OAM login process actually works.
If you were to deploy OAM as in the diagram above then when you deploy your second application every OAM will need to redirect every user to the first web server to see if they have a session and to login if they don't. When you add your third application it too will need to redirect users to the first web server. And on and on.
Which is why this is how you should deploy OAM:
Or like this if you want to put a web server in front:
Then you use a public hostname like "login.mydomain.com" for OAM.
Which is exactly what you see if you login to Oracle.com.