The error was in my LoginProvider of course. I wasn't calling role.setName(). You can move along now, nothing to see here.... thank you.
Thanks Anil. That looks really cool but it turns out that I don't need the full-blown federation stuff - I just need a one-time, cross-application login on the same server. And i can accomplish that by simply tuning on the Valve:
<Host name="localhost" ...> ... <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> ... </Host>
More info at: http://tomcat.apache.org/tomcat-5.5-doc/config/host.htm
BTW, It would be handy to include a JDBC version of a LoginProvider to go along with the LDAP one that's provided in the sample.