1) at a minimum, the cart page should direct the checkout page on the SSL server. the return page should also be on the ssl server.
2) the session variables are created on the pp_confirm page.
3) there are three server behaviors for PayPal Express, 1 on the checkout page and 2 on the pp_confirm page. you need to edit all three of these to not use the paypal sandbox.
You also need to edit the local checkout server behavior on the confirm page to not use test mode with authorize.net.