I was confused by possible solutions implementing a custom JaasSecurityManagerService mbean, or at least define it's DefaultCacheTimeout: link and link
The answer proved much simpler, and I got it from here (scroll to the answer by Darren Jones for Wildfly, complemented by Artur Mioduszewski for EAP6.1).
I use EAP 6.2, so used the following configuration in my standalone.xml
<subsystem xmlns="urn:jboss:domain:infinispan:1.4">
<cache-container name="security" default-cache="auth-cache">
<local-cache name="auth-cache" batching="true">
<expiration lifespan="*INSERT_CACHE_TIMEOUT_IN_MILLIS"/>
</local-cache>
</cache-container>
...
<security-domain name="myJaasDomain" cache-type="infinispan">
Setting the timeout to 0 shows undefined behaviour, so I used 1 ms.