There are two sides to authentication: the current (server) identity, and the captured (client) authentication context.
As you have correctly discovered, the client authentication context should be captured using AuthenticationContext.getCurrent(). In the new thread, the captured context can be restored by putting your task body inside of an authCtxt.run() block.
The server side identity can be captured and restored in a similar way. First you must acquire your security domain (typically via SecurityDomain#getCurrent()) since each security domain may have different active identities. Then use domain.getCurrentSecurityIdentity() to return the identity itself, which can be restored by using its runAs() methods.
Thank you so much! The server side identity did the trick :-)