I'm also interested in responses related to deploying Broadleaf on Heroku. As to your second question, the demo application in our latest release deploys the admin and demo together so you can see how we do it by examining the demo code. There are some nuances with the security that you may run into. For example, we do not consider someone who is logged into the site to be logged into the admin. However, a logout from either the admin or the demo will logout both parties as the user is sharing a session that gets invalidated.
The approach of combining the two will work for many applications of Broadleaf but we do not recommend it as a best practice. For high volume sites, we prefer to scale admin and web separately. Also, we recommend having additional security measures (e.g. VPN) for accessing admin functionality.