I had been grasping at straws yesterday, until I had uncovered a JIRA in JSFUnit that helped explain my issue. Basically, JSFUnit requires a serializable object with which it creates a session object from the servlet API.
As to Acegi, required changes are these holes for requests to the JSFUnit servlet. In the objectDefinitionSource ppty of your filterSecurityInterceptor bean add the following values:
The first two are for JSFUnit to invoke its filters and the third is for Cactus to display the test results using XSLT.