The cookie issue of course, is because when you first loadup the login page, it creates a session and sets the roundcube_session cookie.
To get around this, since we want to bypass the login-page, I had to have our page that launches to roundcube actually access the login page to create the session and scrape the Set-Cookie header, update the rouncube session database with the IP address of the client for the matching newly-created session, and return the Set-Cookie header in our response.
As a result, the client browser will already have the cookie set when they POST to the login page, resulting in successful login.
This could be avoided if Roundcube was patched to allow for an auto-login like this.