I've done this forever on multiple apps successfully: Attach roles from my own source in the global.asax. Have a sitemap provider in the web.config with securityTrimmingEnabled set to true, and have various web.configs in sub directories to manage the allowed roles.
This is working on my dev box and has been working in production. Working on a site redesign. To demo the new beta design I created a nested child app in production. The nested version is properly trimming menu items that only depend on being authenticated. The links depending on roles however are all being trimmed. It's acting like I don't have any roles. I wrote a page to spit out the roles I do have to confirm and it reports that I do have them. So the menu items should be visible.
I did a nested app on my dev box to see if I could reproduce the problem by chance that was the issue, but both dev versions work as expected.
This is a 3.5 app. I am also using my own hacked version of FriendlyCssAdapters to spit out bootstrap markup for the menu. I set both apps in production to use the same cookie and machine key so its a single sign on system for both apps.