When using FORM authentication it is expected a page with a form and an action to "/j_security_check". In this case, there is no need to invoke a login method of a bean to authentication your user. PicketLink will extract both "j_username" and "j_password" from the request and automatically authenticate the user.
Now, if you are using AJAX, you may try to prepare a POST request to j_security_check passing the j_username and j_password as parameters. Or even try to use BASIC authentication.