In my original posting I overlooked the fact that the server doesn't need to remember the newly generated certificate for the client. It just needs to be able to authenticate the CA for this certificate, which is the server itself.
Knowing this simplifies everything. The authenticating proxy as well as all clients need to be equipped with the certificate of my CA to authenticate each other. The JBoss clusters don't have to know about this at all, as the requests that they accept are already "de-SSL'ed".