The JCA specification lists four options for determining the resource principal when container managed sign-on is used. One of these options is Caller Impersonation, whereby the resource principal acts on behalf of the Caller principal.
I can't find any mention of Caller Impersonation in the JBOSS documentation. Is this option supported? If so, how can it be configured?