Inter-vm HttpSession sharing isn't a JSF characteristic. It's something that typically has to be configured in the webapp server itself - assuming that the server in question supports such a feature.
Now as far as passing a token for a Do-It-Yourself login system around, DIY logins are notoriously secure even without such complications. The
J2EE standard security system can be configured to use a SSO Realm and in that case, not only do you get proven pre-debugged security, but you don't have to do tricks with HTTPSession at all.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.