Dear saisuneel ,
You can use "Retrieve OAuth 2.0 Token Assertion", Retrieve OAuth 2.0 Token Assertion - CA API Management OAuth Toolkit - 3.1 - CA Technologies Documentation
If you have MAG installed, there are policy examples such as "google oauth 2.0 client", or facebook client etc.
gateway is supposed to be stateless, we don't recommend to persist the tokens. Usually gateway is not the real oauth client, there should be a real client you can return the token to. If you have to, you can persist the tokens to database (via jdbc), or remote cache.
Regards,
Mark