Implementing two-factor authentication into a Java web app

I have an existing Java web application running through IBM WebSphere (I'm unsure of the version, but could find out if it helps) that I am looking to implement two factor authentication with.

The system has a decent user base, and I wanted to distribute hardware tokens to the admin users of the system to ensure strong authentication.

Minimal impact to the end user is desirable, but I'd like to avoid having the admins need to go through a VPN connection.

Does anyone know of any products that provide Java APIs that could be directly integrated into the existing application or other products that will provide a minimal impact? I've already spoken with RSA SecurID, but their system wouldn't integrate directly and would require an infrastructure change. Any other ideas/experience is greatly appreciated.