Here is an answer from the Cayenne perspective. By default WebApplicationContextFilter lazily creates a session-bound ObjectContext for each request that the filter matches. This creates an HttpSession of course.
So one solution would be to reduce the filter mapping from "/*" to a more specific URL that corresponds to authenticated pages. Then Cayenne filter will not be called for anonymous users.
If this can't be done, create your own version of WebApplicationContextFilter (after all WebApplicationContextFilter is just an example of how Cayenne can be bootstrapped in the app, so check its source, and create something similar for yourself). Your own filter can implement some logic that skips ObjectContext (and session) creation for anonymous.