Secure transport should work for EJB and Java endpoints likewise. This has been verified by Sun's compatibility test suite (CTS)
Is your issue not beeing able to fetch the WSDL from the secured web context or do you experience problems with secure SOAP message transport?
In the first case you could make the WSDL available at an unsecured context or give it to the client directly so it would not need to fetch it from the server every time you create a Service object.
In the second case, please provide a sample deployment and create a JIRA issue - this stuff should work.