We had a similar problem in supporting a ws-security service- you might find some info in that thread.
The suggestion we got from support was to use the wsdl to generate a policy, and then create a separate policy that calls the first. I found that separation of concerns made it a bit easier to manage. There were other comments that this isn't needed and you could work with just one policy.
The generate policy from wsdl task creates some artifacts that you can't get working with assertions directly (I think!), and they may or may not be needed in your case.