I was wondering if anyone knows if the ClientSession's identity (aka the value returned from getName()) MUST be unique?
The name is provided by the authenticator, (The entire internal Identity object actually is. That will make more sense when you have the document on writing Authenticators that I'm writing now.) So the answer to your question is that it is completely up to the policy of the authenticator.
I notice that each ClientSession object has a ClientSessionId which appears to be unique. But does the identity also have ot be unique with a game? (Aka does the ClientSession get persisted using the sessionid or the identity?
A ClientSession and everything relating to it is only valid for the life of the session. So while it is unique at a point in time, its not necessarily historically unique.
If you want a unique identifier other then name, it should be provided by your authenticator in an extended Identity object that you use a custom manager/service pair to read. Again, this is all in the doc I'm writing now.
Does that make sense?