PFA attached document on steps needed to make Layer7 with OTK act as OAuth Provider and Ca SSO as OAuth Client. There is some useful info about OAuthStateDataCookie in it as well which is not documented any where.
Single Sin-On from CA-SSO to the IBM Mainframe via PassTickets
By default, the ! AJP connector is not enabled in JBoss 6.3. In order to enable the AJP connector in JBoss 6.3 to allow CA SSO authentication, in addition to the documented steps to integrate the two products, you must: Edit the standalone-full-ca-gm. xml file in the <JBosshome>...