I have solved this problem by removing "password-stacking" option from a login modules. I still don't understand why it did not work with it, if JAAS spec says:
use_first_pass - If true, the first LoginModule in the stack saves the password entered, and subsequent LoginModules also try to use it. LoginModules do not prompt for a new password if authentication fails (authentication simply fails).
In my case only the first login module, after ClientLoginModule, was ever invoked using this option. So it looks like this option breaks the chain of login modules.
Its upto the login modules to decide whether or not password stacking implies that all login modules perform authentication. The JBoss login modules assume that password stacking implies that the first login module obtains and validates the password, subsequent login modules only use the credentials if needed to obtain roles. Submit a patch that allows chained login modules to validate the shared credentials.