PicketBox already works with sessions to use different stores: local-inmemory or in-memory distributable cache. Your proposal can work with what we already have.
The PicketBoxSubject and PicketBoxSession work very similar to the SecurityContext. But I agree that is better to have a specific class for that.
Maybe we can have something like: PicketBoxSubject.propagate(). Where this method is responsible to create a SC instance by using some factory or something (let developers code their own SC) and to know how to propagate it.
Basically, your logic would be inside the PicketBoxSubject.propagate() method.