WS4EE service endpoints are fundamentally stateless, so passing in a session id does not make sense.
Authenticating against an endpoint is described here:
True, it makes no sense for a j2ee session, but the session I am trying to maintain is a web (tomcat) session. The web session makes sense for authentication else every page would require typing in your name and password
Instead of passing the session ID, you can configure the security domain to have the same user names and passwords as your web users, configure your web services to use basic auth, then pass the username and password as the HTTP headers. The wiki link that Thomas posted above explains it all. The trick is just to make sure that the usernames/passwords in your web tier match up with the usernames/passwords in your EJB tier.