The important additions to the web.xml include the addition of the 403 error page. 403 is what the CAS Validation Filter will throw if it has a problem with the ticket. Also, if you want Single Sign Out, you should enable the SingleSignOutHttpSessionListener.
This relies on the CAS2 protocol. One could imagine swapping in the SAML1.1 response, obtaining attributes, and then using more of the J2EE PreAuth filter support to load the roles from that.