Joseph, that's (unfortunately) the expected behaviour. The @PolicySets stuff is a replacement for the need of manually setting policies on server side. The tooling will generate a basic jaxws client for you. So once you have that client you need to configure it properly; that would mean e.g. providing the ws-security props, there's no way the tool can guess where you have that on client side, which usernames to use, etc. Below is a partial example:
((BindingProvider)proxy).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER, new KeystorePasswordCallback());
((BindingProvider)proxy).getRequestContext().put(SecurityConstants.SIGNATURE_PROPERTIES, Thread.currentThread().getContextClassLoader().getResource("META-INF/alice.properties"));
((BindingProvider)proxy).getRequestContext().put(SecurityConstants.ENCRYPT_PROPERTIES, Thread.currentThread().getContextClassLoader().getResource("META-INF/alice.properties"));
((BindingProvider)proxy).getRequestContext().put(SecurityConstants.SIGNATURE_USERNAME, "alice");
((BindingProvider)proxy).getRequestContext().put(SecurityConstants.ENCRYPT_USERNAME, "bob");
Consider having a look at e.g. org.jboss.test.ws.jaxws.samples.wsse.policy.oasis.WSSecurityPolicyExamples22xTestCase which has a client of endpoint using the same policy you get with "WS-SP-EX223_WSS11_Anonymous_X509_Sign_Encrypt",
and/or reference the documentation at https://docs.jboss.org/author/display/JBWS/JBoss+Web+Services+Documentation (e.g. https://docs.jboss.org/author/display/JBWS/WS-Security for ws-security stuff).