I think PicketLink Federation can also help you in #3. It supports WS-Trust, providing a Security Token Service (STS) that you can use to issue/renew/cance/validate security tokens.
PicketLink also provides some JAX-WS Handlers that you can use in your SOAP-based service to consume the SAML assertion previously issued by an IdP. In this case, the handler will validate it against the STS. If everything is fine, the user's security context is restored from the SAML assertion.