I found the following diagram from here very elucidating:
I believe I get all parts of the interaction except the setting of the MOD_AUTH_CAS_S cookie in the second access to the application (protected app #2) but I understand this is related to an Apache-specific module.
In case this should ever go down here's a copy of the CAS protocol specification in pdf and HTML. And here's a nice high-level presentation.