I have worked around the CLI not working by hacking the standalone.xml directly (with the application server stopped).  Once I created the security domain through the CLI, it was clear where to put this stanza:

                <security-domain name="guvnor" cache-type="default">

                    <authentication>

                        <login-module code="UsersRoles" flag="required">

                            <module-option name="usersProperties" value="/opt/jboss/as/jboss_current/standalone/configuration/guvnor-users.properties"/>

                            <module-option name="rolesProperties" value="/opt/jboss/as/jboss_current/standalone/configuration/guvnor-roles.properties"/>

                        </login-module>

                    </authentication>

                </security-domain>

Note the relative path has changed to an absolute one.  Apparently configuration is not on the classpath since JBoss AS 7.  There doesn't seem to be a best practice for where to put these files/how to reference them other than to put them into the WAR, which kinda defeats the purpose a bit.  I suppose people will really deploy against LDAP, as I intend to once I get a fully working system.