Hi Avi,
I didn't look into this area for a while, but SMCHALLENGE=YES didn't used to be a requirement - but I know how the usage of that cookie has changed, so I can see how it could be required now for Basic login.
1) One possible soln.
If you want to generate the SMCHALLENGE=YES cookie via the webserver, then you could not send the Authorization: header, and it will return a 401 response, and presumable set the cookie. Then you could send the request with the header, and the cookie. For angular you would need something like this :
angularjs - Capture HTTP 401 with Angular.js interceptor - Stack Overflow
2) Another possible soln.
Since it is the authazws on the Access Gateway, it would be possible to write some mod_rewrite entries in the httpd.conf to add the cookie to specific requests, say if the Authorisation: header is present.
RewriteRule Flags - Apache HTTP Server Version 2.4
Somethign like the following (but not tested) :
RewriteEngine on
RewriteRule "^/authazws/.*" "-" [CO=SMCHALLENGE:YES:.example.com:0:/]
But also, it seems odd you are sending a login request to the authws URL, which is protected and you need UN/PW in the Authenticate: header to logon (lets call them UN1 and PW1). Once you've done that you will get an SMSESSION cookie, which will be for the UN1/PW1.
But then once you have a session and access to the /authazws URL, I presume you are going to call and pass in another pair of user & password UN2/PW2 and get back as the response a session token (effectively SMSESSION2 - but this one will not be a cookie).
Is that what you are after: where some sort of "admin" login that has access to be able to login other users; or are you after a mechanism where a single user fills in some (angular) form, posts it and gets a valid browser smsession cookie?
Cheers - Mark