Thanks for the pointer.
Our php.ini file pointed to /var/lib/php/session which under RedHat is installed by the PHP RPM with ownership as apache.apache. No other PHP scripts on the server used that dir by default (they all referenced their own). Changing ownership to nobody.nobody got the admin section working, however the solution was not optimal as I don't want just anyone installing a PHP script and writing out sessions to /var/lib/php/session.
Therefore, I decided to modify /calendar/setup/sessionPath.php and include the following code:
$sessionPath_filename = dirname(__FILE__);
$sessionPath_filename = str_replace('setup/sessionPath.php','session',$sessionPath_filename);
After doing this, I created the directory /calendar/session, chmoded to 777 and put a .htaccess file in there with these contents:
So session information couldn't be pulled up via a simple web request by anyone.
It would have helped out a good bit if instructions existed somewhere that gave an indication that the admin login looping could have been either (1) permission related, (2) ownership related or (3) session save path related. For (3) a pointer to /calendar/setup/sessionPath.php would have been great.
If you were to include this hack in your standard distro, it could help avoid the issue where the session save path is not writable by the web user (which I think is a pretty regular scenario).
Anyway, thanks - we've got it working.