I have a multilayed application that I need SSO for. Browser > Web App > Web Services. I've managed to get Jasig CAS running on JbossAS 5.0.1 with JbossWS-Native 3.4.0. I can authenticate to the Web App with no problems.

The Web App is some simple JSP pages (packaged as it's own WAR)  that calls the Web Services (Packaged in another WAR file). Both WARs are configured as CAS clients and I can hit both of them in the browser (I only have to authenticate once and then I can browse freely between the two deployments)

The next hurtle is calling the web services using a JbossWS client running within a JSP. Ideally, I need the user token to flow from the JSP Web App to the Web Service in a secure and hopefully standardized way. As you can image, it's not working.

So far I've tried taking the Jsessionid and added it to the execution URL of the service, no dice ( the cas module sends a redirect and it doesn't appear that the JbossWS client follows them)

I've also tried a customing SOAP handler that inserts an http header with the jsession info. No dice

I've tried calling GetProxyToken (part of the Jasig framework, however it always returns a null token)

Has anyone gone down this road or a similar before?