In my opinion, the best way to start analyzing this is to use a load
testing tool like JMeter to load your server with (number of expected users + 20%) requests, and then collect metrics on tomcat and the server machine using performance monitoring system like collectd or munin.
Ensure that you simulate entire user flows. It's not enough to simulate 150 login attempts and then say it's fine, because the actual bottleneck is often not the authentication part but your application specific logic or database queries that run when your users are using your app.
Collect metrics, find out what bottlenecks if any - CPU, machine RAM, tomcat heap size, disk IO, database query times - are encountered, and then you can take action. Sometimes, the solution may indeed be tomcat tuning, but it's also possible the real bottlenecks are elsewhere. Database misuse is often a culprit.
No point doing general optimizations, because it's not reassuring either to you or to your management; better to analyze your system in detail, collect data, and then do focused optimization.