Do you need the exploded web-apps because you are making changes that you want Tomcat to pick up right away? If so I don't know of any way to do this, other than running a different tomcat instance with its own security. You will still be able to call EJBs in a separate JBoss server.
It's a while since I've done it, but you would want to use the simple interceptor which does nothing other than set up credentials to be passed to JBoss (as any other distributed client would). So you would no longer use org.jboss.tomcat.security.JBossSecurityMgrRealm but use the standard tomcat JDBCRealm to allow tomcat to do its authentication and add an extra interceptor, org.jboss.tomcat.security.JBossRealm to setup the security association with JBoss. I think that's it ...
This is a pain, as you have to configure two separate security systems, but you can use hypersonic as the database for tomcat's JDBCRealm too.
You can then deploy your complete apps in JBoss/Tomcat, running on one port (e.g. 8080) and have another separate Tomcat instance running (on e.g. port 80) which points to the expanded webapps.