Thanks for your help!
I activated trace and got the following:
13:19:11,436 TRACE [org.jboss.security.plugins.mapping.JBossMappingManager] Application Policy not found for domain=CLIENT_LOGIN_MODULE.Mapping framework will use the default domain:other
13:19:11,437 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] Application Policy not obtained for domain=CLIENT_LOGIN_MODULE. Trying to obtain the App policy for the default domain of the layer:EJB
13:19:11,437 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
13:19:11,437 TRACE [org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate] no match found for security role administrator in the deployment descriptor for ejb TestBean
So now I need to figure out why the wrong security domain is used. Do you have any clue?