The implementation in the cloud portal is actually quite trivial, we adhered to http://tools.ietf.org/html/rfc6238, which allowed us to re-use the google authenticator client. You should be able to find Java libs that allow you to do the backend part of it.
In a nutshell, it's not really more than:
The easiest way to ensure that your app is safe is to check the TFA code at login, doing it 'inside' the session (as in the cloud portal) is much more of a hassle.