Hi Ajay,
Yes it is a little tricky, when you set RequireAgentEnforcement=yes, then access to the webservices URL needs to be protected access.
https://webservices.example.com/authazws/AuthRestService/login/appID/Resource
In addition to RequireAgentEnforcement=YES in the ACO you also need to add an AgentName mapping for the access the webserver, something like :
AgentName=wsagent,webservices.sample.com
http://webservices.sample.com/AgentName=agent1,appID1
And then you need to add policy so the webagent: wsagent considers /authazws URL as protected. You also need to pick an auth scheme for the realm as well.
The deal then is that then to access https://webservices.example.com/authazws/AuthRestService/login/appID/Resource it is a normal siteminder protected URL, so you need an SMSESSION cookie to make that webservices call. The Admin guide recommends using an SSL credential scheme.
So the idea is that your client has one level of access to get to the webservices.sample.com URL, either using a client certiifcate or similar (coded UN/PW basic auth will also work), that gives that client the ability to send logon requests and get back responses.
You can see in the above that it is really applicable to a server trying to process logon requests on behalf on some other service, giving user credentials and passing back the smtoken (really the SMSESSION cookie content). It is not really the same as a mobile app making a call, and trying to logon the device owner, and get a SMSESSON cookie for its own use.
If yours is the 2nd case then you really want anonymous access to the login service, to allow any user to make that call. Also then in this 2nd case the call to the https://webservices.exmaple.com/AuthRestService/authz/appID/Resource is probably not applicable to you, since it just tells you if that user has access to the resource - it does not return the resource contents. In the 2nd case, you are more likely to bundle the smtoken you got back as an SMSESSION cookie to access a normal Siteminder protected resource.
Cheers - Mark
PS: A good tip to seeing what is happening is to enable the webagent and webagnet trace logging in the webservices ACO