I have just figured this out and it's spectacularly bad design on their part.
The Accepts header that you're meant to pass differs depending on which part of the REST API you're invoking. For example, the two commands below both work:
curl -H Accept:application/vnd.ca.lisaInvoke.vseList+json -u USERNAME:PASSWORD "http://LISAHOST/api/Dcm/VSEs"
curl -H Accept:application/vnd.ca.lisainvoke.VirtualService+json -u USERNAME:PASSWORD "http://LISAHOST/api/Dcm/VSEs/VSE4/serviceName"
Notice the bits in bold - the Accept header is different in each case. Funnily enough, that's what the root element in the response is called, vseList and VirtualService respectively (that's how I figured it out).
Why on earth it's not just accepting "application/json" is beyond me.