servlet tier must authenticate itself to the ejb tier in a same way you'd authenticate your standalone client to the ejb-tier -- either use the JAAS client callback handler and ClientLoginModule in your tomcat JVM or provide the credentials to your EJB proxies directly via jboss SecurityAssociation class.

Tomcat of course needs to be setup with its own security configuration (as specific to the servlet engine) to authenticate the incoming HTTP requests.