The action attribute is not maintaining the orginal query string. The first time the login is called the parameter is there because it was part of the URL being called. When the login page displayed it dropped the parameter.
For custom authentication you can do the following:
1) Create a new property in Code-Pega-Thread call SSOQueryString.
2) In your login activity map pxThread.SSOQueryString to param.pyQueryString in a property set step.
3) Update your login HTML and change the form to also include the query string in the action attribute:
4) Depending on some of your error handling etc make sure that the Data-Admin-AuthService is specifying your correct login, with updated form element, on the Custom tab for both "Credential Challenge Stream" and "Authentication Failure" stream.