Hi,
I have had the same error message. Ours is the CF11 standard, IIS 8.5, Windows 2012 on an Amazon server, and Trustwave also scans our server for PCI compliance. There's a good summary of this issue with Tomcat here: http://stackoverflow.com/questions/8072311/adding-hform-causes-java-lang-illegalstateexcep tion-cannot-create-a-session
This error message first started appearing after upgrading from CF10 to 11 and simultaneously moving from a solid-state server managed by a local service to an Amazon cloud server.