They should be the same, with the slight difference that in a web app the configuration files and keystores should appear in WEB-INF rather than in META-INF.
Please post the locations of the relevant files inside both the EJB package and the web app package. Also post the contents of the relevant configuration files for the web app.
Please consider this: http://jira.jboss.org/jira/browse/JBWS-1999
In few words, the jaas authentication is supposed to work with EJB3 endpoints only until that issue is fixed (and it's scheduled for the next release, 2.0.5 native).
Oops. my goof. I saw WS-Security authentication and automatically thought message signing, which I have done with both EJBs and POJOs.