Thanks for your reply, Kumar.
Actually, I had already imported those client certificates in Firefox. The trick was that I had not changed the javax.net.ssl.trustStore and javax.net.ssl.keyStore settings in glassfish to my own cert stores, thus glassfish was using the default cacerts.jks and keystore.jks, while the client (browser) couldn't present certificates that the server trusts (my client certs were generated from EJBCA, and that ca was not in cacerts list), so I speculate that firefox hadn't submitted a cert to glassfish, which caused this error.
My solution was pointing javax.net.ssl.trustStore and javax.net.ssl.keyStore to my cert files, then replacing all "s1as" instances in domain.xml with the cert alias in my cert, and it worked.
Hope this can shed some light for those having the same issue.
[Message sent by forum member 'marshalking' (marshalking)]
http://forums.java.net/jive/thread.jspa?messageID=285876