A 401 on the /touch operation is perfectly normal. The SSO handshake has to start somewhere and what Share is doing is calling the /touch operation to check if SSO is enabled - if SSO is enabled, the /touch operation will send the 401 with the appropriate WWW-Authenticate header to indicate to the client which type of authentication is required (NTLM / SPNEGO). The only way to prevent the 401s in this case would be to disable SSO altogether...
When you are using SiteMinder (you should have mentioned that in the original post) then it could be that - for some reason - the user header is simply no longer included in the HTTP request and can thus not be forwarded from Share to the Repository-backend. Or it is stripped from the request from Share to Repository (if you are routing that through F5 / proxy with SiteMinder) to fend off attempts of impersonation (i.e. as if a user constructed a request with SiteMinder user ID header already added).
So finally I need to exclude this alert from newrelic to avoid this confusion. I do not want my client see this alert frequently with high error rate. as you said it is valid 401 code for SSO handshake.
I know this is an old question, but for the people having to add a URL for ping in monitoring tools like NewRelic, Stackify, etc. you can use alfresco/service/touch?guest=true which will just give a status 200.
Don't use /share/page because mostly share is fine while repo is down .