Step through the logical order of the workflow and double-check that all the possible paths make sense with the purpose of the workflow.
You can also use this as an opportunity to check for parts of the workflow that could become cyclical.
The validation in the above tutorial always returns true.
Sender’s cert must be loaded to receiver’s truststore, so receiver can use whatever in the truststore to validate signed doc. Your understanding is correct - with self-signed certificates anyone can create a certificate and signature validation will be ok.
This includes the following validations: Each process has either one continue connector or one success connector and one failure connector leading from it.
This ensures that each process continues on to another step in the workflow regardless of whether the process is successful or unsuccessful.
Although validating a workflow does not guarantee that every process will be completed successfully when deploying a workflow, it helps to limit the possibility for errors during the deployment.
While you are creating a workflow, you can use System Manager to validate the workflow.
To use System Manager to validate a workflow, from the Workflow menu, select Validate Workflow.
Otherwise, use the Java PKI Programmer Guide (as linked from the tutorial you've used).
Validating a workflow is an important step in creating a workflow.
The PKI system doesn't apply only to web servers, but to any entity (there are additional rules for web servers to verify that they're the one you want to talk to, on top of having a valid certificate).
(In particular because the choice of which CA certificates to trust is often done on behalf of the user, at least by default, by the OS or browser vendor, this model isn't perfect, but it's the most common in use.) Alternatively, there's nothing wrong with establishing a list of self-signed certificates you would trust in advance.