So I'm looking to do: 

1.  Jsp site has login page that posts the username to the web api authentication service\endpoint\controller, whatever you want to call it:

jsp site->web api authenticationcontroller post method->returns json containing the user's name and an encrypted auth token->jsp site stores the token in its session

2. If the user did manage to log in to the jsp site then, and then happens to need to request a page that lives in the original asp.net site, then, the jsp site would send a post containing the token to an httphandler on the asp.net site, in which the handler will decrypt, and if it can decrypt it, do a response.redirect and send them on to the page the user was intended to go to:

jsp site->(posts to) asp.net site httphandler->handler decrypts token->redirect to desired page

So nothing would be in the querystring at any point (no auth token anyway), and everything would be over https as well.  If this is not an ideal or safe enough way, what would be suggested?  Thanks!