Some servlet containers attempt to do URL-based session management until a cookie is received back from the browser. This causes the CAS service URL to vary between login and validation.
The result is the following error and an INVALID_SERVICE message being sent to the client.
2015-02-14 16:55:05,835 - DEBUG [net.shibboleth.idp.cas.flow.ValidateTicketAction:101] - Service issued for https://beisdev.memphis.edu:443/ssomanager/c/SSB;jsessionid=T0CKTW7nYkR3jimTVMJt8Q5APfcKK_yhqO7nxQWeYkaMvJ5I1ebH!2125672019?pkg=bwpkebst.P_DispIDSelect does not match https://beisdev.memphis.edu:443/ssomanager/c/SSB?pkg=bwpkebst.P_DispIDSelect
Subsequent requests will then work, as cookie-based session management has been fully established.
Since CAS server 3.0.5 (2008?) the behavior has been to strip the JSESSIONID out of the URL before creating the service ticket. The relevant CAS JIRA report can be found here:
This problem was discussed on shin-dev with the subject "IdP v3.0.0 CAS Support".
A patch is attached to this JIRA issue.