There are actually 3 components to this problem:
1. Shared security. You want the authentication to be done before the apps are invoked and for that security realm to be then propagated to the apps. That is SSO (Single Signon).
2. You want to share the same user session between the 2 separate webapps.
3. You want to physically embed the output of one user webapp in the display of the other webapp.
SSO can be provided by using an SSO
Tomcat security realm to JBoss. Tomcat is the embedded webapp server component used by JBoss. JBoss adds the missing
J2EE stack components, such as EJBs, and jacks the Tomcat security Realm into them.
Sharing a session between 2 different webapps is a Tomcat application configuration option and I commend you to the kind mercies of the Tomcat and JBoss documentation.
Embedding output is the trickiest part. JSF doesn't take too kindly to frames. A better solution would be to use a standard JSR-288/JSR-238 Portal server such as LifeRay and deploy that into JBoss.