It's been a while since I've done this myself but here's what I reckon is happening:
Classes are banned from being loaded over RMI unless you have a security manager installed in the JVM which is receiving the class. This is to prevent accidentally loading untrusted code -- i.e. a class -- into your JVM.
Setting up a security manager is done by code such as:
You may then need to set up a policy file to enable permissions for the local JVM to load classes -- I can't remember what the default is. Check out the Javadocs and Policytool docs for more info.
Once this is set up, your client will be able to load classes over RMI.
The reason your client succeeds when you run it within JBoss is that it will then share the classpath, and load the necessary classes from the classpath rather than over RMI, thus avoiding these security issues.
Hope it helps.