This is something that is targetted for CXF 2.2/Services Framework 2.2.
Basically, for 2.2, we will support the WS-SecurityPolicy stuff that the .NET stuff produces. That will include the "IssuedToken" policy.
If you want to see some of it "working", you can checkout the CXF InteropPlugFest stuff from:
the wstrust13 directory has a client that gets a SAML token from the MS STS and uses that to securely talk to the service.