I've found 2 solutions with my problem:
1.) Move the authentication classes (picketlink) to the web layer, so that the message can be set and localized.
2.) Implement a JPA IDMConfiguration in the ejb layer. And an authentication class in the web layer. Refer to this project from github: picketlink-authorization-idm-jpa. In this way we've created a picketlink resource that we will use in web layer authentication.