I was able to ameliorate this problem be creating a sar file with a class that subclassed JBoss's SystemPropertiesService. This allowed me to use an encrypted password. Actually it just reads keystore password from the keystore.password file, decrypts it, and sets the javax.net.ssl.keyStorePassword System property.
Does this sound about right, or is there an easier way to set javax.net.ssl.keyStorePassword?
There is a properties-service.xml in the deploy directory to set system props.