What I think would work would be to change your .Net client code to send over the JSessionID as a cookie value in its request. That way the functionality you have ought to work again.
It's worth noting that exposing the Session ID in URLs can expose you to certain security vulnerabilities, so it may be something you want to look at avoiding in future.
I have used the database approach you mention also. If you go this route, have the CF code insert a record using a GUID as an identifier and a timestamp for when the record was created. On the .Net side, look up the GUID and only accept the request if the timestamp is from less than X seconds ago, so you don't create a token which will authenticate you for a long time. X needs to be the max ammount of time you think it'll take a client to follow the redirect from CF to the .Net pages, so 2 is likely plenty. You will want to delete used tokens and have a scheduled task to delete 'unused' tokens.