Spring Security : Call from external website unable to redirect to our application

We are developing a Spring based web application, which is using Spring Security 3.2.3. We are integrating with an external payment gateway (Paytm) for accepting user's payments. Following is a scenario where we are facing issue:

1. User logs in to the application (it's an HTTP non-S app) and clicks on a button which redirects him to the payment gateway (Paytm payment gateway - it's HTTPS url).


2. For Paytm integration, we have configured a callback URL i.e. index page of our application (eg. http://server:port/app/index.jsp). User completes the payment and Paytm redirects the control back to our Spring application.


3. When Paytm tries to call our app's index page (eg. http://server:port/app/index.jsp), it fails and in Chrome debugger, we could see a 403 Forbidden response.


4. However, this scenario works well in Mozilla Firexfox and IE 11. The issue in only seen in Google Chrome and Operabrowsers.


5. We tried by providing some other website in callback URL (like https://google.com) and the redirection went successful.

What we are suspecting is it might be some config issue or missing setting in Spring Security, but which we are not sure of.

This is our Spring Security config:

<http auto-config="true" use-expressions="true">
        <!-- Un-comment when authorization is implemented -->
        <intercept-url pattern="/**" access="isAuthenticated()"/>
        <form-login authentication-failure-handler-ref="failureHandler"
            authentication-success-handler-ref="successHandler" />
        <intercept-url pattern="/**" />
        <logout logout-success-url="${login.page.url}" />
    </http>

    <authentication-manager alias="authenticationManager">
        <authentication-provider>
            <password-encoder ref="encoder" />
            <jdbc-user-service data-source-ref="dataSource"
                users-by-username-query="select gu.email, gu.password, gu.enabled from global_user gu,global_organization_user gou, global_organization go where email=? and gu.enabled=1 and gu.is_deleted=0 and gou.user_id = gu.id and gou.organization_id=go.id and go.current_stage='ACTIVE' and go.is_deleted=0"
                authorities-by-username-query="select u.email, r.role_id from global_user u, security_user_role r
                where u.id = r.user_id and u.email=?" />
        </authentication-provider>
    </authentication-manager>

    <beans:bean id="encoder"
        class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
    <beans:bean id="successHandler"
        class="app.server.security.authentication.AuthenticationSuccessHandler" />
    <beans:bean id="failureHandler"
        class="app.server.security.authentication.AuthenticationFailureHandler" />

    <beans:bean id="expressionHandler"
        class="app.server.security.authorization.CustomMethodSecurityExpressionHandler">
        <beans:property name="permissionEvaluator" ref="authorizationEvaluator">
        </beans:property>
    </beans:bean>

    <beans:bean id="authorizationEvaluator"
        class="app.server.security.authorization.AuthorizationEvaluator" />


    <global-method-security pre-post-annotations="enabled">
        <expression-handler ref="expressionHandler" />
    </global-method-security>

    <http pattern="/rest/app/someurl**" security="none"/>
    // other URLs which are escaped from spring security

Any suggestions and pointers are appreciated.