Inside the Java middle tier of your plugin through the UserSessionService API you have access to all vCenter servers and the session cookies for each of them (_userSessionService.getUserSession().serversInfo.sessionCookie).
Session cookies allow your plugin Java middle tier to reuse an already established vCenter session but should not be exposed outside of the vSphere Client's application server as they can compromise the security of the environment.
Instead, inside the middle tier of your plugin you need to use the vCenter SessionManager.AcquireCloneTicket() API (https://www.vmware.com/support/developer/vc-sdk/visdk41pubs/ApiReference/vim.SessionManager.html#acquireCloneTicket) using the vCenter session cookie for authentication. You can pass the ticket you received from this call to your backend (for example in a custom header) and the backend in turn can establish a new vCenter session by calling the SessionManager.CloneSession() vCenter API (https://www.vmware.com/support/developer/vc-sdk/visdk41pubs/ApiReference/vim.SessionManager.html#cloneSession). When talking to the SessionManager in your backend you can have an anonymous session - CloneSession() will set up the authenticated session from this point on (depends on what client library you use - works out of the box with the vSphere Web Services SDK for Java).
The proposed approach is more secure than just passing around the vCenter session cookie since the clone ticket can be used only once in a call to CloneSession() and will become invalid afterwards - so if a middle man sniffs the value, it will be too late for it to abuse the ticket.
To pass the session cookie in API calls to vCenter inside your Java middle tier you can refer to DataProviderImpl.getServiceContent() method inside the vsphere-wssdk-service sample from the SDK.
Let me know how this works for you and I can help with further.