Hi Sid,
As per my understanding, OTK is actually an implementation of Oauth on gateway.
ie. They are gateway policies. They are working as oauth server, they can be used to protect APIs, no matter the API is on gateway or on a remote server.
To use it to protect a resource, the resource needs to register as oauth client on /oauth/manager. And your client needs to be able to access the oauth server(ie. the gateway server) to retrieve oauth token. The service provider may also need to access the oauth server to validate the token.
The OTK provide oauth endpoints needed for a complete oauth flow. APIs - CA API Management OAuth Toolkit - 3.5 - CA Technologies Documentation
Regards,
Mark