Practically you dont need to apply security for the communication between Web tier and the EJB tier ! Because no one is going to acess the EJB Tier directly, The initial request will be handled by the web tier then it forwards it to the BD which then goes to the EJB/Application Tier. Also one major need of the scecure system is that your web server which receives the initial request should be inside the fire wall.
As Dhiren says you can depict sequence diagrams with respect to the web client
depcit the sequence diagram from the EJB controller which is going to be common to both the clients and have 2 seperate diagrams to explain the MVC interaction of the web & app client. I took the second approach and secured full marks.
its basically a business decision which has to be made by the stake holders in this case its not clearly specified, so you take the chance and handle it.
To make it more clear assume you have a shop giving credit to the customers or not is going to be your decision, in some shops they do and in shops they dont you can take your decision. As far as this is concerned you can act both the ways, but be sure to jusity enough why you are doing so
your listing is sufficient enough, but if you feel that you need to make it more clear there is nothing wrong in adding some more diagrams and not to leave this point it dosen't add any additional marks !
On the document, dont just leave away with your assumptions, justify all your design decisions