Awesome, thanks for kicking off this effort - we're very keen on non-core formfields maintained by the community!
Some quick remarks on your code:
I suggest namespacing your module and class names, its too likely that common names like "AutocompleteField" will cause clashes in the future. I know we havent been very good about this ourselves in core, but that makes it even more important for third-party extensions to find more unique names.
Keep in mind that each FormField is a controller in itself (as in: it extends RequestHandler), so you should merge AutocompleteController into AutocompleteField. This has the advantage that you don't have to secure your controller separately, as any autocomplete requests will be executed within the context of the controller+form+formfield. One consideration here is performance: Autocomplete relies on fast responses, which might be difficult to achieve if your formfield is embedded in a complicated form.
Have a look at the "tagfield" module for ideas: http://silverstripe.org/tag-field-module. Its very similiar to your code, and uses jQuery.autocomplete as well.
$response->addHeader('Content-Length', strlen($body));
I don't think you need to set this explicitly, your webserver should handle this.
$className = Convert::raw2sql($request->param('ClassName'));
$fieldName = Convert::raw2sql($request->param('FieldName'));
This is a bit of a security hole - although youre checking the canView() methods, not every field should be accessible in certain contexts. I suggest initializing the field with these values as opposed to getting them from each ajax request.