As outlined in my email on the developers list, http://lists.kolab.org/pipermail/devel/2016-March/015442.html, the canonification with Cyrus does not work for multiple domains that live in separate LDAP trees. (I would be happy to be proven wrong by a working example).
My proposal is to have an option unique_uid_across_domains=true in kolab.conf.
It would default to false to keep the current behaviour.
When set to true, this will enforce a unique identifier (UID) across multiple domains.
In turn it is then possible to search all domains for that unique id, and make sure that kolab-saslauthd, WAP and Roundcube will authenticate against the right domain.
I have a patch prepared, and would like to apply that when this feature request is accepted by Architecture and Design.