The Apache Tomcat team released version 6.0.37, which primarily contains bug fixes but also includes some security fixes.
One of the neat enhancements in this release is the addition of the SSLHonorCipherOrder directive, which lets the administrator pin the order that ssl encryption ciphers will be offered to ssl clients. With it, you can now configure tomcat to prioritize RC4 encryption ciphers if you're looking to do some BEAST remediation.
Another SSL-related change in this release is that you can now disable TLS Compression on the APR connector (assuming you're using a version of OpenSSL that allows you to disable TLS compression). This can help provide additional protection against the CRIME attack/vulnerability.
See the Apache Tomcat 6 Changelog for all the enhancments and fixes in this release and you can download source and binaries from a tomcat 6 mirror site.