and I'm not so sure that just having that session id alone is enough.

It should be just that simple :) if all the apps share an authentication store and they're all on the same domain ( Re: Catalyst from a sub directory ) then cookies or http digest auth ought to be passed transparently between the apps

You might have luck with an example at http://wiki.catalystframework.org/wiki/livegroups :)