You sure you want password AND token authentication? Not sure that adds a whole lot extra.
On item 3, the only thing RSA AM should be verifying is the passcode (PIN + tokencode) - that gets passed as the "password".
If you can accept the chance of person A password being used but then person B token...could just protect the RSA HTML form with a password based authentication scheme probably. So you'd first have to put in a password, then get the RSA form and "step up" to that. Just a thought.