Thanks! We consulted with a Cosign expert, and we did have a configuration issue. The fact that it was working in ASP was throwing me off.
In our case, Cosign protection was not enabled in the web.config file at the document root, but only enabled for the directory in question (/test) by the web.config file in that folder.
When we enabled protection at the document root (and removed the web.config file at the directory level), the server environment variables for auth_type, auth_user, and remote_user were passed on the ColdFusion.