Hmm. Perhaps the mojarra-people have more details but comparing with CDI, I would think the actual session instances are kept in the session and the statemanager is more for handling JSF view state.
I think sessions are created when they are needed, i.e. when a session scoped bean is being accessed for the first time. In the same manner, I would guess that invalidation happens when the session times out
(as set be web.xml or some other mechanism) or when the session is explicitly killed. And regarding the client state, I think we are talking about view state.
Regarding controllers I would say that with EE6 lots of the old "J2EE patterns" are not needed. If you know you are going to write a web application,
I have no problems in writing a backing bean that couples with JSF (using a change listener) and persisting entities which are used by the view.
If I need another sort of client, I can break out the JSF parts, add interfaces etc. That's why the people at Eclipse made refactoring so easy.
Die, DTO:s. Respawn where appropriate.