This is a question I've been asking myself a lot today, and it has to be said, from a LOT of searching on the internet, I'm far from alone. Where I seem to be alone though is in my pursuit of an answer
Loads of times I see the question asked, and loads of times I see the answer is that in order for the browser to take any notice of the TSA's time stamping, the authority needs to have been one that is in the JRE's trusted root store (cacerts usually). And that's where most people seem to stop asking. I never know whether it worked for them or they just gave up.
For me, I've tried umpteen different URLs to the -tsa argument and they all seem to work ok. Most have come from responses where people say it needs to be a trusted root so use this one. I've even found some code online that claims to verify there is a timestamp in there (but doesn't go as far as proving the validity of the timestamp), but whatever I do, when I put the date of my machine forward by a year and load up the app via the JNLP link, sure enough my browser complains that the code was signed with a certificate that has now expired. I'm getting to the point of being pretty much stumped!!
My setup is OS X Lion, with the latest java from whoever supplies it these days (1.6.0_29) and I'm using Safari 5.1.3.
I've even gone to the extent of modifying the maven web start plugin to allow me to time stamp the jars during the maven build process and afterwards I was going to look to uploading that to the project (since it's not in there at the moment) but if it's all in vein then there's little point, and indeed may explain why it wasn't in the maven plugin in the first place