The following Subject Context push (with null Subject) to establish client security context should not be performed if the user has configured a RunAsIdentity in the caller bean.

/* The security context must be established before the cache
lookup because the activation of a session should have the caller's
security context as ejbActivate is allowed to call other secured
resources. Since the pm makes the ejbActivate call, we need to
set the caller's security context. The only reason this shows up for
stateful session is that we moved the SecurityInterceptor to after
the instance interceptor to allow security exceptions to result in
invalidation of the session. This may be too literal an interpretation
of the ejb spec requirement that runtime exceptions should invalidate
the session.
*/
SecurityActions.pushSubjectContext(mi.getPrincipal(), mi.getCredential(), null);

The resolution is:
if(SecurityActions.peekRunAsIdentity() == null)
SecurityActions.pushSubjectContext(mi.getPrincipal(), mi.getCredential(), null);