Got it to work. I modified my objectDefinitionSource for FilterSecurityInterceptor (simplified):
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/login.jsp*=ROLE_ANONYMOUS,ROLE_USER
/**/*.css=ROLE_ANONYMOUS,ROLE_USER
/**/*.jpg=ROLE_ANONYMOUS,ROLE_USER
/**=ROLE_USER
</value>

I am now applying security to everything except for jpg and css files. Without these 2 exceptions, my login page and index page looked very screwy. It appears that during the login process, when I haven't yet acquired the ROLE_USER privilege, all calls to jpg and css files were getting blocked making my login and index pages malformed. The above mapping solved it for me. So now by applying security to everything (except css and jpg files) both Tomcat and WAS 6.1.0.5 forces users to login before allowing access to the index.jsp page. Hope this helps someone.