1) If necessary, you can do this. There are obvious reasons not to do it, but if you are hardware-constrained, it's better than running test and prod on the same box.
2) IMO, use the integrated solution for sure. Security is integrated, all calls are in-VM (local vs remote), etc.
3) Sure. This is not uncommon. Use apache with mod_jk/mod_jk2 to communicate via AJP to Tomcat or Jetty.
4) It could work, but remember, you'd be slicing the memory and processor in two. It'd be sacrificing performance (big time if it's only a one way box) for a *possibly* more available system (assuming the only problem you have is localized to one of the JBoss instances). IMO, using a cluster in this case wouldn't buy you much - unless it's a 4 way box with at least 2 NICs. Mileage may vary, but we've had JBoss up 24x7 for 8 months without an outage.
Just one dude's opinion.....
mike