Okay, I found the issue. I've been with the company for a couple of weeks. It turns out that the call to request.getSession() doesn't bring back a straight up HttpSession object. It returns an object from a custom class that overrides HttpSession. In turn, when you set or get an attribute, it checks permissions for that attribute name. So when I set the attribute and it wasn't in the xml file as an acceptable attribute, it instead added it to a cache. In return, when I call getAttribute I got the object back out of the cache.
Once I added my attribute name and class to the persistence policy xml file it worked as expected.
Too bad I wasted most of the day finding out that little detail