In Worklight 6.1, the WebSphereLoginModule has an optional "role" parameter to specify the JEE role that the user must belong to in order to successfully authenticate:
Then in WebSphere, you would use the usual role mapping capability to map your AD groups to that role.