top.jsp in line 22 or so has a Page directive requiring a session.
<%@ page session="true" %>
It was suggested that the true is required for Tomcat 5.5, but false is fine for Tomcat 6 (and later?):
Anyone see any reason I can't flip this back to false for a client adopting CAS under Tomcat 7? Troubleshooting a weird bug  and one effect of this directive in top.jsp is to make the logout JSP create a new session, which then (here's the weird part) gums up the next login attempt from that browser session within the servlet session duration. Flipping this back to false appears to resolve the bug, though of course I'll also want to follow up on why CAS can't cope with a fresh new session.
Make the default false again, with the comment suggesting that Tomcat 5.5 adopters make the change.
See this link for the discussion thread: