After experimenting, reading source code, and much hair-pulling, I still can't find any way to encrypt SOAP headers using JBossWS. In particular, the UsernameToken header remains unencrypted and doesn't seem to support nonce's.
Speaking of this, the documentation for the WS-Security implementation is "somewhat" lacking. Using BindingProvider.USERNAME_PROPERTY (as shown in your tests) doesn't work because its constant is different from Stub.USERNAME_PROPERTY, which is what WSSecurityDispatcher.java uses to determine whether or not to include the header. Similarly for PASSWORD_PROPERTY.
So, the question of the day is: how do you encrypt or secure a username/pasword combination sent via the WS-Security UsernameToken header that is included by means of something like