Instead of using com.sun.appserv.security.ProgrammaticLogin, I recommend to use the Servlet 3.0 API HttpServletRequest.login(String username, String password).
From the code snapshot, I do not see how the session id is passed in subsequent GWT call. If this is really case, then it explains why you do not see the data in the next request.
[Message sent by forum member 'swchan2']
http://forums.java.net/jive/thread.jspa?messageID=476561