I don't use CGI::Application, but my approach would be to make the legacy code into CGI::Application::Pluggable instances and use a hacked ->cgiapp_prerun method to handle the login tangent depending on the target. "If it's in a module, it's not a hack".

That still leaves you with The One Class though, but maybe you can turn that inside out by making your authorization step into a plugin and using that plugin from the several legacy apps.

Disclaimer: I use basic authentication and TinyAuth to handle access to my apps, so I'm not really qualified to comment on how to put authentication into your application.