I guess your application server is configured to serialize sessions (possibly on exit or for clustering) and de-serialize them later. If so, all classes referenced from the session should be serializable.
Note that if for server startup, failure to deserialize should (on most servers) just cause a new session to be created, and the message can be treated as a warning.