All you can do is flush the authentication caches for every security domain.
Even if you flush authentication caches,
( how do you achieve this without tampering on
jboss source? )
clients still have principal/credentila information stored. And they will use it on the next EJB invocation.
The clients need to issue a logout to remove any credentials previous bound during the login.