Docops has pretty good list and explanation of each one. Sometimes it's not always clear when you want to leverage certain things. I'm still pretty new to the GW too, so still figuring a lot of things out .
But here's some stuff I found useful when setting up the CA SSO token services -
--- Doing Math operations ---
Math Expression Assertion
Mathematical functions within Policy
How can I create a simple arithmetic operation (a b, for example)?
Within the context of CA SSO, if you want remaining time on a session you can use XPath to calculate time remaining on an SSO token to return to an app. From what I've found the API GW doesn't support the standard web agent headers regarding time left. So you get the max time, last time, and idle time only; then have to calculate the time remaining yourself based on server time (if it's already expired and you're on the latest version it should just fail but if you want to know how much time is left on an active session, need to do this).
End up with something like: $maxSessionTime - ($gateway.time.seconds - $startSessionTime)
--- XPath credentials via context variables ---
Custom HTTP Authorization Header
--- CA SSO variables ---
CA Single Sign-On Context Variables - CA API Gateway - 9.2 - CA Technologies Documentation
Just have to remember if you only do the authenticate call you may not get all variables. Some only get sent with an authorize call. That's a standard CA SSO thing.