Does the Picketlink SP validate the session once it is established based on the NotOnOrAfter attribute?
What PL does is check these time conditions when receiving a SAML Response from the IdP. If they are invalid, SP will deny and session will not be established. This is performed only during the first request to the SP.
Once the user is authenticated and have a valid session on the SP, PL will never check the conditions again. The session timeout is defined in your web.xml and managed by the web container.
I would suggest you to use short-lived assertions, the enough to get users authenticated in your SPs.