Yes, there's a securityToken field and it's necessary for the POST. If you open Blogger's original comment page at https://beta.blogger.com/comment.g?blogID=xxx&postID=xxx, you can find it and its value is like "v9_v9qDtWj71ChM_jjf8r5_49xw=:1163469412333". It looks like a base64 encrypted string and a timestamp.

Whatever it is, if you add this field to your form, the new comment entry should be POSTed correctly. Note that you may need to get this token from the page whose post id is the same with the post you want to comment.

My servlet would do this job automatically. Everytime before I make a POST, I would fetch the comment.g page and parse this token, and then submit it with all other params to comment.do.

I also tried to submit a comment from a HTML page from my local driver with a copy-paste field of securityToken from comment.g and it works. I think it's much easier for a test.