You have not really provided enough detail to really understand what is going on, but I will give it a stab anyway. From what you have described, I would say location is your problem. If you have custom login modules that are needed by two or more web applications (in separate wars), then you need to externalize those modules so they can be shared. Another less attractive option (which may not be possible depending on what your login modules do) is to have a copy in each war. You have not mentioned if your EJB's are secured. I hope so.
If this does not make sense, reply with details about your war/ear deployments that describe where stuff is. As well, some info on how your security is configured. Finally, some TRACE logging of what happens when things fail.