Yeah. The STS is ideal for this. It can deal with a token and other attributes that you require. Rather than WS calls, I am wondering if it should just plain http/rest calls.
Yes instead of WS calls this would be calls over the HTTP interface or over the Native / Remoting based interface.
I am open to other ideas but in general I was thinking of something that could be encoded to a Base64 String that can then either be passed in a custom HTTP header or within the Remoting call and then it can be decoded and verified once recieved.