I think I have an idea about why our LTPA_DominoSecret is empty. We don't generate our SSO keys in domino but we import those generated in our websphere environment into the Notes Document (Using the action Keys\Import WebShere LTPA Keys). This step is necessary in order to have SSO across WebSphere and Domino.
Doing this results in the field scenario outlined in my first post.
Does NTLMLTPA support keys generated in WebSphere and imported in Domino?