Today I ran into exactly the same problem and I wonder if you solved the issue in the meantime.
Thanks in advance,
Make sure you set an unauthenticatedIdentity module option on your security domain used on EJBs.
Thanks, J9ra, after adding
to the application policy, the issue was solved.