Ok, as the client is using Web Sphere / Web Methods, it's apparently an application configuration issue, and they don't expect to see any policy information in the WSDL. Joy. Unfortunately, it doesn't seem like Glassfish treats it the same way.
Ultimate solution? Web Service handlers using WSS4J to sign outgoing messages and verify incoming messages. What a pain.
If anyone else is struggling with this, check WSS4J (an Apache project), and the @HandlerChain annotation for your webservice endpoint. This is far from the best solution, but it does work. Also, WSS4J has some documentation issues and you'll probably need to hunt through the source code to figure out exactly how to make it work.
[Message sent by forum member 'ipsi' (ipsi)]
http://forums.java.net/jive/thread.jspa?messageID=343006