In org.apache.shiro.cas.CasFilter.onLoginFailure(AuthenticationToken, AuthenticationException, ServletRequest, ServletResponse) the passed-in AuthenticationException is not logged anywhere. In my case, a misconfigured SSL certificate error was being swallowed. The lack of logging meant I had to use a debugger to see the exception details.
There is a similar issue with the other override of this method, in org.apache.shiro.web.filter.authc.FormAuthenticationFilter.
Suggest logging at debug level (which is off by default in sensible setups, but can be enabled during investigations). See attached patch.