The ASA for WebSphere gives you tier 2 authentication from SiteMinder.
If you don't have it and just use the web agent on the IHS reverse proxy, then you are relying on network and other controls to prevent users bypassing the reverse proxy and spoofing whatever http header the proxy passes back to WebSphere to provide the authenticated user's context.
By using the ASA, it will validate the SiteMinder cookie with the Policy Server, thus preventing bypassing of the reverse proxy and header spoofing. Pages 14-15 of the doc you linked to explain which components you need. It's a long time since I've done this, but in previous projects where I did it, we only deployed the TAI component for http authentication. We didn't need the login module as we had no use cases for it and we didn't need the JACC provider as we let WebSphere handle the authorization natively