Sorry, it was a side effect of an interaction with the jmac and the old security filter.
Now we are seeing some oddness where the SAM redirects to a login url (via response.sendRedirect), but somehow the filter still seems to be invoked.
[Message sent by forum member 'brian_of_fortent' (brian_of_fortent)]
http://forums.java.net/jive/thread.jspa?messageID=279787