As per my understanding ...
To secure an API, just put "OTK Require OAuth x.0 Token" assertion to the beginning of the policy of the API.
Then only the http request contains the valid token can access this API successfully.
Secure an API Endpoint with OAuth - CA API Management OAuth Toolkit - 3.5 - CA Technologies Documentation
So, before call the API from the client (an app, or a browser, etc.), the client need to authorize first.
To do so, you may publish another authorize service (or just a policy fragment for protected APIs) to use Retrieve Token Assertions to get the access token and then route to the protected API.
Or, the client can call the OAuth API endpoints directly to retrieve the access token, then call the protected API.
Here is the list of Oauth api endpoints,
OAuth API Endpoints - CA API Management OAuth Toolkit - 3.5 - CA Technologies Documentation