Yes this is possible and should be working assuming you are on the correct platform with the configuration for it. TrustSec is of course vlan/subnet independent, all that matters is the SGT to IP binding and the SGACL that would apply between the tag/tags. So your policy should be working if everything else is up to it.
When you are being enforced across VLANs, is that also on the same switch, just different vlans, or different switches?
If we cover the basics when you are trying same vlan enforcement, does it meet some basic criteria,
1. Is the switch model capable of SGACL enforcement
2. Is the vlan included in the "cts role-based enforcement vlan-list" of the switch(s)
3. Do the SGACL's show up in "sh cts role-based permissions"
4. Do both endpoints display their "local" mappings in "sh cts role-based sgt-map all"