I was facing the exact same problem, after searching this forum and some testing, looks like you should not (or can not) protect your MDB at all.
So, now I deploy MDB in its own jar without security domain, deploy other EJBs protected. In the onMessage() method of MDB, use LoginContext and Subject.doAs() to access secure EJBs. Think about it again, maybe there is no reason to protect MDB at all, it will always be called from internal.
I fixed the problem using the option