I am able to get around the problem by pulling the JSESSIONID value out of the returned headers and adding it to the second url in the form of "...;jsessionid=...".
Setting the return JSESSIONID header to the same header that is returned did not fix the problem. I wonder if it could have something to do with the fact that "https=true" in in the controller.xml, but I have turned off all https processing in the config file. -Al