I'm surprised that you claim this works for site admin. Specially when the http header above states
--
Paul T.
X-FRAME-OPTIONS: SAMEORIGIN
Type of account should not matter in most cross-domain issues because they are a Browser/HTTP issues, not sharepoint related.
Are your non-admin users authenticated to both domains (aaa and bbb) at the time the cross-domain calls are made?
--
Paul T.
-- Sent from Mobile