I am trying to implement single sign-on between 2 Java EE applications. Both these applications share the same registry - LDAP. I would like to navigate from one application
An implementation of CAS will work for you, it is well documented and the changes needed to "CASify" your app are very easy
How do your applications make use of the LDAP? Do you have a application-specific authentication mechanism implemented?
If you make use of authentication mechanism of your Java EE appserver (the WAS), you do not need to have SSO enabled on your WAS for your users to be able to sign on to both applications at a time.
In your WAR/EAR descriptors, define Java EE roles and authentication methods, restrict access to your applications to members to these roles, configure your WAS to authenticate against your LDAP and during deployment of your applications bind the roles defined in your apps to LDAP users / groups (e.g. all users that authenticate against the LDAP, or some more specific group).
Changes of WAR/EAR descriptors and deployment options can be all specified in RAD 7 using WAR/EAR editors, setup of LDAP has to be done using WAS administration console.
EDIT:
OK, long time, no see (such config in WAS). Had to try it myself and it seems the SSO has to be turned on.
Here's my setup: I had two simple apps, one with form-based auth, other with http authentication, each defined a security role and a security constraint for its web resources. Both roles were bound in EAR application.xml editor to "All authenticated users" (WAS-specific deployment info, is stored in ibm-application-bnd.xmi). With SSO turned off, I've observed the same behavoior as you did.
However, after turning SSO on, it well, started to work...
How did I turn SSO on: There are for sure multiple options, this is how to enable LTPA-based SSO with basic settings (WAS 6): Go to admin console -> Security -> global security -> select LTPA as authentication mechanism -> Apply, then Security -> Global Security -> Authentication mechanisms -> LTPA -> Single sign on -> Enabled -> apply, then Save all and restart).
Further settings... likely there is a need to regenerate the LTPA keys for prod deployment. To have other WAS servers join the SSO, synchronize the LTPA keys.
Sorry for the confusion in my initial response.