Thank you so much too! It solved my problem too。
I am using Terracotta 3.7.7 for my Tomcat 7 session clustering, and also using Spring Security Oauth2 version 1.0.5.RELEASE.
Every time when my application server redirected my browser to the OAuth2 authorization server for the authorization code, the jsessionid cookie in my browser was set to Tomcat style jsessionid. So when the authorization server redirected my browser to my application server, my application server regarded the Tomcat session as anonymous, as my application server only authenticated my old Terracotta session before.
The TerracottaTomcat70xSessionValve valve used to be put under conf/Catalina/localhost/myApp.xml.
Now as you suggested, I moved the valve to conf/server.xml, and there is no more Tomcat style session. Everything works.
Thank you again.