In case anyone is interested, I found a workaround to the lack of doAs support.
Setting multi-threaded=true on the login module configuration for ClientLoginModule has the effect of allowing different authenticated credentials on each thread.
Its a known feature , and thanks for the info.
Its a feature for allowing many clients on the same system. You find this in the docs.
Subject.doAs support can be added via a custom interceptor in the client proxy to propagate the security context from the AccessControlContext in the same way that the current SecurityInteceptor propgates the security context established by the ClientLoginModule.