Symptom:
When changes are made to a policy-map that include overlapping classes, actions in that policy are no longer applied in the correct order (i.e. first match). For example:

access-list alltcp extended permit tcp any any
access-list bypass extended permit tcp host 10.1.110.10 host 192.168.112.72
!
class-map alltcp
 match access-list alltcp
class-map bypass
 match access-list bypass
!
policy-map global_policy
 class bypass
  set connection advanced-options tcp-state-bypass
 class alltcp
  set connection random-sequence-number disable
  
In this case, a TCP connection from 10.1.110.10 to 192.168.112.72 should have TCP state bypass applied. All other TCP connections should have sequence number randomization disabled. This policy works fine until the TCP state bypass action is toggled (or changed):

policy-map global_policy
 class bypass
  no set connection advanced-options tcp-state-bypass
  set connection advanced-options tcp-state-bypass
!
clear local-host

After this, a TCP connection from 10.1.110.10 to 192.168.112.72 will no longer have TCP state bypass applied.

This issue is not specific to TCP state bypass. The problem also occurs with other actions, such as 'set connection advanced-options {tcp-map}'.

Conditions:
This problem is seen after a change is made to an existing policy-map that includes overlapping classes. New policies are not affected. Reading the config from startup-config is also not affected.