How to ensure that WildFly runs in PKCS11 FIPS mode on Oracle Java 11?

On OpenJDK 11 we can set SunPKCS11 provider with a path to NSS config file, and use the provider created this way to set SunJSSE provider into FIPS mode. For example

(snippet from JAVA_HOME/conf/security/java.security)

security.provider.1=SunPKCS11 /home/okotek/test/nss_pkcsll_fips.cfg
security.provider.2=SUN
security.provider.3=SunRsaSign
security.provider.4=SunEC
security.provider.5=SunJSSE SunPKCS11-testFipsPkcs
security.provider.6=SunJCE
security.provider.7=SunJGSS
security.provider.8=SunSASL
security.provider.9=XMLDSig
security.provider.10=SunPCSC
security.provider.11=JdkLDAP
security.provider.12=JdkSASL

(/home/okotek/test/nss_pkcsll_fips.cfg)

name = testFipsPkcs
nssLibraryDirectory=/usr/lib64
nssSecmodDirectory=/home/okotek/test/nssdb
nssDbMode = readWrite
nssModule = fips

getInfo() for SunJSSE provider results in Sun JSSE provider (FIPS mode, crypto provider SunPKCS11-testPkcs).

We probably cannot use the same configuration for Oracle Java 11, as the SunPKCS11-testFipsPkcs argument of security.provider.5=SunJSSE is ignored, like it's described in https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8230923, and getInfo() for SunJSSE provider results in Sun JSSE provider(PKCS12, SunX509/PKIX key/trust factories, SSLv3/TLSv1/TLSv1.1/TLSv1.2/TLSv1.3/DTLSv1.0/DTLSv1.2). However WildFly works as expected. Using com.sun.net.ssl.internal.ssl.Provider like described in the bug results into the same info string, but WildFly is not able to read trust store keystores.

The question is what we need to set to run WildFly on Oracle Java 11 in (PKCS11) FIPS mode, and whether/how it is possible to check it.