For the Kerberos/SPNego usecase, the setup will be as follows:
1) The web app is guarded by JBoss Negotiation.
2) The Login Module will be JBWSTokenIssuingLoginModule. It needs to have an option, handlerChain=binary. This installs the BinaryTokenHandler that can be set to pick http header/cookie to send a WS request to the STS. Also the valueType etc can be set on the ws binary request.
3) The STS receives the WS Trust issue request. If there is a wsse binary token available, look at the value type. If it is kerberos, then do the gss magic to get the user details and issue a samv2 assertion.