Hello,
To answer your first question, yes, the callback url is the eventual resource requested. However, there is some more nuance to the exchange. The callback url is the redirect uri in which you will redirect the user and provide the token in the URL on grant types such as implicit (in Gateway terms this would be your Oauth-protected API). It is then the job of user-agent/frontend application to follow the redirect uri, retain the token and access the protected API.
I would first look over the following links to get a better understanding of the toolkit and OAuth2, and then you can start to understand the request scenarios with the Test Clients we provide OOTB (see the last link below). The test clients can provide a sort of POC example of how each request would work.
Here is a good link that does a good job explaining grant types and the overall flow for each: https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
Here is a link to our CA product wiki to get started with grant types and request scenarios. You can choose to export this Wiki in pdf form if you would like.
Registering Clients: Registering Clients with the OAuth Manager - CA API Management OAuth Toolkit - 4.1 - CA Technologies Documentation
OAuth Request Scenarios: OAuth Request Scenarios - CA API Management OAuth Toolkit - 4.1 - CA Technologies Documentation
Securing Endpoint with OAuth: Secure an API Endpoint with OAuth 2.0 - CA API Management OAuth Toolkit - 4.1 - CA Technologies Documentation
Run the Test Clients: Run the OAuth 2.0 Test Client - CA API Management OAuth Toolkit - 4.1 - CA Technologies Documentation