If there are two entries for one person in Users > Management, then that person is being synchronized as two different users and will be recognized by the RSA Cloud Authentication Service as two different users. I expect that if the user is concurrently in two different domains, that is the reason they are being synchronized twice to the Cloud - they will have two different entries in AD - one in each domain tree.
To check the two accounts for all users, you can get a report of all users from Users > Reports in the Cloud Administration Console.
In the test done with user ajoshi, it sounds like the userid and password from domainold is being authenticated OK by AD, which is why it gets to the point of prompting for step-up authentication. As you then enter an 8-digit passcode from an RSA Authenticate app registered to the domainnew user, you will get an authentication failure because that app is not valid for the domainold user. You can check the audit entries for the authenticate attempt under Users > User Event Monitor. For more detail, you can check the audit log - see Configure Audit Logging in the Cloud Administration Console.
Note: if you are not sending the audit log to syslog, you can still Generate and Download an Identity Router Log Bundle from every IDR (because your authentication test may have been processed by any one of your IDRs, and you won't know which one). The RADIUS audit log can be found in the log bundle at var/log/radiusj/radius-audit.log .
If all users exist under domainnew, from what you've describe here it sounds like the best way forward would be to only authenticate using domainnew. Change your Identity Source configuration to ensure it only synchronizes domainnew users. You will also need to delete all the domainold entries from the Cloud Administration Console. Delete a Cloud Authentication Service User explains how to do that.
