I have worked around the CLI not working by hacking the standalone.xml directly (with the application server stopped). Once I created the security domain through the CLI, it was clear where to put this stanza:
<security-domain name="guvnor" cache-type="default">
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties" value="/opt/jboss/as/jboss_current/standalone/configuration/guvnor-users.properties"/>
<module-option name="rolesProperties" value="/opt/jboss/as/jboss_current/standalone/configuration/guvnor-roles.properties"/>
Note the relative path has changed to an absolute one. Apparently configuration is not on the classpath since JBoss AS 7. There doesn't seem to be a best practice for where to put these files/how to reference them other than to put them into the WAR, which kinda defeats the purpose a bit. I suppose people will really deploy against LDAP, as I intend to once I get a fully working system.