If two root CAs are cross-signed by each other, there will be a cycle in the certification trust path.
If a such cycle exist, and one of the roots are used in the certificate chain for OCSP, then EJBCA goes into an endless loop trying to add the the roots to the chain. This results in the following messages with alternating DNs, if debug logging is turned on, and eventually EJBCA runs out of heap space.
The problem happens when the OCSP chache is built, which happens at startup. So it prevents EJBCA from starting.
Note that the only the most recent, non-expired certificates are used.
We have a patch that should solve OCSP responder startup, so it gets to the point where it can responds to OCSP queries. But there may be other parts of EJBCA that are affected. This should be checked also (does not need to go to the same release, so it could be done as separate issues, if it turns out to be time consuming)