Tomcat 6 Clustering - Authenticated Session Replication

I currently have a very basic cluster composed of two Tomcat 6.0.32 instances (Tomcat1 and Tomcat2) running on the same VPS. I'm using mod_proxy_ajp and mod_proxy_balancer as the load balancer through Apache (on the same VPS). We are using basic form authentication (via j_security_check) to create authenticated sessions for users.

The load balancer is working well and unauthenticated sessions are being replicated between the two instances successfully. However, I am unable to have authenticated sessions replace between each instance.

I am using a very basic JSP called session.jsp (based on the JPS template http://www.syslog.gr/articles-mainmenu-99/15-tomcat-cluster-session-replication.html) to test the session to see if it is a new session and print out the JSESSIONID. I have one copy of the JSP inside of the protected area and one copy outside of the protected area.

I've run the following tests:

Test 1)
I access session.jsp outside of the application's protected area on Tomcat1, I note down the JSESSIONID and confirm with the load balancer that Tomcat1 handled the request. I then shut down Tomcat1 and refresh the page. The request is now handled by Tomcat2 (as confirmed by the load balancer). When the page finishes loading I see my original JSESSIONID and my session has survived.

Test 2)
I access session.jsp inside of the applicaton's protected area on Tomcat1. This prompts me to log in. After logging in I am sent to session.jsp and note down my JSESSIONID and confirm with the load balancer than Tomcat1 handled the request. I then shut down Tomcat1 and refresh the page. The request is now handled by Tomcat2 (as confirmed by the load balancer). When the pages loads I check my cookie. I now have a new JSESSIONID and I am once again prompted to log in.

So far from this I've figured that authenticated sessions aren't being replicated like unauthenticated sessions. Is this a good reason for this or does it point to a configuration problem?