One part of authentication problems was caused by too aggressive request unwrapping by the DefaultContainerRequestResponseUnwrapper before invoking a portlet.
This caused the authentication state (UserPrincipal) as setup by the PortalFilter with the PortalRequestWrapper to get "lost".
I've just committed a solution for that using a new marker interface ContainerRequiredRequestResponseWrapper, and applied that on the PortalRequestWrapper as well the PortalRequest (special wrapper for Websphere).
However, even with that, by default login is still now working on Websphere.
This turns out to be caused by PortalAdministrationConfiguration.isCreateNewSessionOnLogin() now by default being configured to true.
Somehow the session.invalidate() before the authentication and getSession(true) right thereafter is somehow "losing" the authentication state on Websphere.
After I changed this configuration setting to false in assembly/administration.xml, I could login successfully again.