Thanks for your reply and to provide the last piece of the puzzle - add this to your Notes.ini to allow special headers.
HTTPEnableConnectorHeaders=1
Description:
Enables the Domino HTTP task to process special headers that are added to requests by a WebSphere 4.0.3 plug-in installed on a foreign Web server. When the plug-in relays an HTTP request to the Domino back-end server, the plug-in adds headers that include information about the front-end server's configuration and user authentication status. As a security measure, the HTTP task ignores these headers if the setting is not enabled. This prevents an attack via plug-in mimicking.
Valid Values are:
0 - The Domino HTTP task does not process the special headers.
1 - The Domino HTTP task does process the special headers.
SPR# DMEA5KZQR2 - Fixed a problem where when HTTPEnableConnectorHeaders=1 non-standard SSL port wasn't honored. This regression was introduced in 6.0.2.
This parameter must be set for Domino to interpret the header coming from Microsoft IIS.
This setting enables the Domino HTTP task to process the special headers added by the plug-in to requests. These headers include information about the frontend server's configuration and user authentication status. As a security measure, the HTTP task ignores these headers if the setting is not enabled. This prevents an attacker from mimicking a plug-in.
Headers:
$WSAT: The Auth Type that is being used to make this request.
$WSCC: The Client Certificate used for this request. If the value is not base64 encoded for us by the Web server, then the plug-in will base64 encode it before sending it across to the application server.
Restriction: If you enable this, it is assumed you know what you’re doing, and how to protect direct access to the port at which the embedded http is listening.
Note: If you set the LogLevel to TRACE in the plugin XML config file, it is possible to see what headers are actually added for a given request. Appendix C. Domino 6 HTTP plug-in hints and tips 659
$WSCS: The cipher suite that the Web server negotiated with the client. This is not necessarily the cipher suite that the plug-in will use to send the request across to the application server.
$WSIS: This header will be set to either True or False depending on whether or not the request is secure (came in over SSL/TLS).
$WSSC: The scheme being used for the request. This header will normally be set to either http or https.
$WSPR: The HTTP protocol level being used for this request. The plug-in currently has support for up to HTTP/1.1 requests.
$WSRA: The remote IP address of the machine the client is running on.
$WSRH: The remote host name of the machine the client is running on. If the hostname can't be resolved, this header should be set to the IP address.
$WSRU: The remote user specified for the given request.
$WSSN: The server name used for this request. This should be the value that was specified in the HOST header of the incoming request.
$WSSP: The server port that the request was received on. This will be the port value that is used in route determination.
$WSSI: The SSL Session ID being used for this request. If the value is not base64 encoded for us by the Web server, the plug-in will base64 encode it before sending it across to the application server.