1) The shutdown address can be specified in Tomcat 7, not in Tomcat 6.
https://tomcat.apache.org/tomcat-7.0-doc/config/server.html
All of the AJP connectors (Tomcat 6 & 7) support an "address" attribute. See here.
https://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html#Standard_Implementations
2 a) Not exactly sure I follow you here. Are you asking if you can configure the connector for both instances of Tomcat to point to the same keystore file? As far as I know, that's OK.
2 b) Yes. See keystoreFile.
https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support
2 c) That's up to you. Do whatever makes the most sense for your setup.
2 d) It's tough to say what is a "best practice", since most environments are different and what makes the most sense for you likely depends on your unique environment.
What I can say is that I often see SSL terminated in front of Tomcat with a dedicated hardware device or Apache HTTPD. It performs well, plus it makes sense in setups with multiple Tomcat instances because there is already something in front of the Tomcat instances to load balance across them.
That doesn't mean you have to do that though. You could terminate the SSL with Tomcat and people do. If you go this route, I'd suggest using the APR or NIO connector though. The APR connector performs the best with SSL, but is a little trickier to setup. The NIO doesn't perform as good as the APR, but I believe it's better than the BIO connector and it's easy to setup.
3) I don't know of anything for the tomcat-users.xml file. It's my understanding that this file is not recommended for production use, so you should probably look at using a JDBC or LDAP realm instead.
https://tomcat.apache.org/tomcat-7.0-doc/config/realm.html
Another option would be to write a custom realm that decrypts the passwords.
Having said that, I believe the general suggestion here is to apply proper unix permissions on the files to control access to them. For example, you should set the owner to be the user that is running Tomcat, which should *not* be root and set the permission to r/w only for the owner.