I'd advise to set up TLS on the Apache side and then handle traffic from Apache to Tomcat unencrypted. This means: Setting up a VirtualHost with SSL-directives for Apache (and Apache has the keys). Then forward to tomcat through AJP. Neatly, AJP makes tomcat aware that the traffic used to be encrypted and also forwards the hostname etc. - so you don't need any more work.

Naturally, this setup is good only if you trust the traffic between Apache and tomcat not being snooped on. I'm not aware if AJP can forward fully encrypted traffic and if Apache can handle forwarding fully encrypted requests.

Further: If Apache would forward encrypted traffic (when tomcat handles all the encryption) you don't need Apache at all: In this case Apache can't do anything with the traffic but forwarding it. There's no way to handle static content, rewrite URLs, inspect the traffic etc.

If you fear the traffic between Apache and Tomcat will be snooped on, I'd still terminate the encryption on Apache, then re-encrypt the AJP traffic. Never done this though, and I'd be curious to see if someone does it (and how it's done)