I'm having the same problem. The EJB spec contains such scenarios that allow the creation of a trust relationship between two EJB container, like there exists a trust relationship between the EJB and the WEB container. (Chapter 19 in EJB 2.0).
The JBoss SX architecture motivated the idea to use JAAS for that purpose. Unfortunately this easier said as done. My attempt was to create a "gateway bean" working like a facade that takes calls of the first EJB container, uses credentials to log on the other container and delegate the call. This has the great restriction that all calls have to be made by the (stateful) gateway bean (it acts as a client and is the only one with the correct security context). Besides it has to authenticate for every call with is a big performance issue.
So the other idea is to use the SSL enabled JRMPInvoker (i'm trying to get it to work at the moment, but unfortunately the invoker conf in JBoss 3.2.1 has changed somehow and I can't find any documentation for it).
well I hoped that helped a bit,