The default behavior of the SecurityContextLogoutHandler is to invalidate the session. This causes an IllegalStateException in HttpSessionContextIntegrationFilter following logout. I fix this in security.xml:

         <constructor-arg>
             <list>
                 <ref bean="rememberMeServices"/>
- <bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler"/>
+ <ref bean="logoutHandler"/>
             </list>
         </constructor-arg>
         <property name="filterProcessesUrl" value="/logout.jsp"/>
     </bean>
 
+ <bean id="logoutHandler" class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler">
+ <property name="invalidateHttpSession" value="false"/>
+ </bean>
+
     <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
         <property name="authenticationManager" ref="authenticationManager"/>
         <property name="authenticationFailureUrl" value="/login.jsp?error=true"/>