Did you build the service by recording the real application or from R/R Pairs?
Do the responses in your VSI contain proper CORS response Meta Data header information (i.e., Access-Control-Allow-Origin, Access-Control-Allow-Credentials, etc.)?
My limited understanding is that cross-domain support, in your example, means that the client-side application (AngularJ) is expecting HTTP response meta data for specific key/value pairs.
I have seen a different case where CORS (running in AngularJ) blocked the application from making a call to the server. We were researching the possibility of disabling CORS in the development environment to see if we could get around the issue. The other option we were exploring was to host the virtual services locally.
I wonder if SV as Code would make it easier as this option places the components local so no cross-domain interaction is required. Welcome CodeSV