I can confirm the bug at 6.9 with stable updates as today (2018-07-19). The bug is easily reproducible with the second set of instructions (using multiple tabs; obviously no Account Provider tab is available on 6.x).
Once installed the proposed packages, I tried to reproduce the bug but I cannot. I modified several different things on different tabs, opening also help pages, the issue didn’t arise once. Full log of the httpd-admin sessions (before and after the manual upgrade) here.
I recently developed the webgui for this additional package and it showed the 400 Error for the CSRF after visiting the Help page. After the updates, the bug is gone.
Expiration rules verified after 5 actions as requested.
I cannot update the Enhancement #3445, as I have an account for dev but never been able to post anything on it.
Thanks, regards,