I was thinking about same scenario couple of days ago, but could not find solution. Problem as I see is CLIENT-CERT is registered globally in web.xml for whole application.
In the JBossWeb configuration, there is an attribute called verify-client.
Try to use CLIENT-CERT authentication in the web.xml and use verify-client=false.
With this approach, you can secure certain pages in your application with client certificate authentication and at the same time your entire application will be accessed via TLS/SSL.
secure certain pages in your application with client certificate authentication
Question is how can be "certain" achieved. From my point of view, all or none could be confiugred in web.xml