I have the same problem and are very interested in a solution.
make sure your not trying to access the login page directly. access a page in the protected area and it should auto redirect you to the loging page. if that does work, in your login page where your action is j_security_check. add
<%= response.encodeURL("j_security_check") %>.
i dont know why but it worked with out that in the previous version i was working with. but that seemed to solve it.
I think since jboss3.0rc1 comes with url rewriting to provide a jsessionid the encodeUrl-call adds a jsessionid parameter and this solves our problem. in my opinion without it jboss does not recognize the right session of the request and does something we do not want.