This was, until just recently, unexplored territory. I knew that it could be done, that other people had done it before, and that it was darn easy to do in ColdFusion.
I have spent the last two weeks on a very intensive integration project where there was a custom UI built in JSP that needed to have a single sign-on from an existing ColdFusion application. We decided to take advantage of some of the session variables available, the catch being that the information in the session variables were encrypted (using the ColdFusion en/decrypt functions... naturally). I figured that "it couldn't be that hard" to replicate the same functionality in JSP, get the session variable... decrypt it... look the info up in the database... and set some application variables on the JSP application side. That was two weeks ago. Yesterday I figured it all out in a blinding burst of code.
What I ended up doing was writing an entire custom Java class that does all the encryption / decryption of string information passed to it. We had to instantiate the class on the ColdFusion side and not use the built in CF functions.
And this is how I did it...