We decided to use cxf SecurityTokenServiceProvider  class as the entry point of the STS implementation. Since SecurityTokenServiceProvider is not thread safe we have to create a new instance for each incoming request.
When it comes to Policy Enforcement we'll be using message properties to override the default behaviour cxf policy framework. By using message properties we can dynamically change effective security policies.
All components including Token Providers, Claim Manager, Static Property Provider will be plugged into the SecurityTokenServiceProvider programmatically (without using spring XML)
SecurityTokenServiceProvider uses a WebServiceContext. Since our intention is to delegate only the Soap Message to STS (since we're not using web services coupled with STS) we'll have to write a mock class for WebServiceContext (not finalised)