Do you have to force users to log-in to keep the same JSESSIONID between requests??
If I don't, my app sends a new cookie (with a new JSESSIONID) on each request. Which thus has the effect that they get a new HttpSession any all object references are lost!!
It is something to do with the Clustered HttpSession mechanism - doesn't seem to ever find the old session.
Answer in my case was to simply set the WebApp as not distributable (I don't need clustering, well at present).