WebJASPIAuthenticator in JBoss AS 7.1.1 and JBoss EAP 6.0.1 calls secureResponse right after validateRequest on a SAM has been called. The only intermediate code is registering the result of the callback handler with the container. The service invocation (e.g. calling a Servlet) is done afterwards, ie after the call to secureResponse.
See the following fragment in WebJASPIAuthenticator:
However, section 126.96.36.199 of the JSR 196 (JASPIC) spec says that the semantics of secureResponse are as defined in Section 188.8.131.52, which thus means that secureResponse should be called after a service invocation. Figure 1.1 in Section 1.1 shows this as well, and the general flow as described is Section 3.8 also mentions this.
So, in JBoss the sequence is
While the spec seems to say it should be:
In the reference implementation GlassFish the sequence is indeed the latter one.