I had this same problem.
For me, the solution was to tell JBoss/Tomcat where to find the server trust keystore (the keystore containing all the trusted client certs).
Unfortunately the connector config in JBoss-Tomcat or in Tomcat does not let you specify this, so you have to find another way. Add the following parameter setting to your JVM startup for JBoss:
By the way, Jetty seems to ignore this setting. I believe newer versions of Jetty support a property in the SunJsseListener config, but in the version bundled with JBoss 3.2.1 this wasn't available and a kludgy solution was described on the Jetty web site.