The 1.21 change:
from: protected String createPasswordHash(String username, String password)
to: protected String createPasswordHash(String username, String password, String digestOption)
breaks existing code if subclassing overrides the method ("to provide customized password hashing" as stated in the doc).
Create a bug report in jira
http://jira.jboss.com/jira/browse/JBAS