After 8 hours of grueling experimentation, it turns out this isn't that difficult. It's just documented or very clear... and I had ipv6 get enabled on one of the hosts which caused all sorts of problems.
On the "cloud" server, you'll use this
<Resource
id="MyJmsResourceAdapter"
type="ActiveMQResourceAdapter">
BrokerXmlConfig = broker:(tcp://0.0.0.0:61617,network:static:tcp://ground.server.com:61617)?persistent=false
ServerUrl = vm://localhost
</Resource>
On your "ground" server,
<Resource
id="MyJmsResourceAdapter"
type="ActiveMQResourceAdapter">
BrokerXmlConfig = broker:(tcp://0.0.0.0:61617,network:static:tcp://cloud.server.com:61617)?persistent=false
ServerUrl = vm://localhost
</Resource>
Finally, disable ipv6 in your JAVA_OPTS in Apache TomEE. You can do this by creating a setenv.sh in bin/ and putting the following:
export JAVA_OPTS="$JAVA_OPTS -Djava.net.preferIPv4Stack=true"
Now... to figure out SSL. Hope this helps someone!