I've never tried it, but it doesn't surprise me that the terraotta client has issues with a security manager enabled. It might be helpful to collect the various security exceptions you're seeing in a JIRA ticket.
I don't totally understand the bit about accessing sessions through a proxy. Are you talking about java proxies to the sessions objects, or about http proxy in front of tomcat? Either way, if you're experiencing a hang, a thread dump is what we'd want to see.