Just tested some more:
When shadowing a session on the same server you must specify hServer and pServername can be empty string or nil.
When shadowing a session on another server you must specify nil for hServer and the remote computername (or IP) for pServername (actually the last method works for both local and remote, so it's easier to use that one always).

I will also test passing pServername to WinStationConnect, WinStationShadowStop is harder because this must be done from a third session (or indeed the shadowed session). Besides what's pServername for WinStationShadowStop, is it the server who's shadowing or the one being shadowed?

Just a though coming up: What if the user who's being shadowed can end the remote control when he or she wants to? That would be a nice feature. It would probably require running some kind of agent in the users session who monitors it's own session state and pops something up when being shadowed. From this popup there could be a "Stop shadowing me" button.