I was able to get around most of the issues by including the permissions.xml file with AllPermission into each of my wars. However, one of my wars is still seeing the issue. This particular war happens to be from a third party. My best guess is that there are permissions being set somewhere within the war. Besides the permissions.xml and the security-manager subsystem in the standalone.xml, are there other places that someone can define permissions?
Are these standalone WAR deployments or are they contained in an EAR? As for an EAR, the permissions.xml should be specified at EAR (META-INF/permissions.xml) level.
Regarding the issue with java.security.AllPermission not doing what you expect, I'm not sure why that it is happening.