Correct me if I'm wrong, but here is the way WS-Trust and STS's are suppose to work.
You access a web page that is protected
Your browser is redirected to a logon page
Enter credentials click submit
Credentials are verified by the STS and added to the session object for you
You're redirected back to the original page
The credentials part is suppose to be arbitrary, any authentication method should work so long as the STS can verify it. This works for web services too, only you go directly to the STS first and authentication, then use the token to invoke the target web service.
This probably doesn't help you solve the problem, but hopefully it adds some clarity to the situation.