I have confirmed that changing it to 'IBMSecureRandom' fixes the generation of the clustered session id's. I have not checked the rest of the places it is used yet.
Adding 'SUN' as the provider was ineffective.
So either hardcoding (for myself) or making it a compile time option (for everyone) or having JBoss try the Sun implementation and falling through to the IBM (for everyone) seems to be the options.
If this is not the place to discuss this and it should be moved to a bug report, please inform me of this.
Make it a bug report.