If you craft an HTTP request with a made-up session cookie (e.g. 'Cookie: JSESSIONID=bogus; $Path=/somewebapp'), embedded JBoss will create a session for you with id 'bogus'. I tested this in standalone Tomcat (versions 5.5.9 and 5.5.12) and Tomcat created a session using its own generated session id.
This was tested using a non-distributable webapp, so the JBoss clustered Manager was not involved.
To reproduce, deploy the war included in the attached file. Then use wget to pass in a bogus request:
$ wget --header='Cookie: $Version=0; JSESSIONID=blablabla; $Path=/TestSession'
The biggest concern I have about this is the difference in behavior between embedded Tomcat and standalone Tomcat.