As mentioned in previous post - there are three ways to attach Policies in OWSM 11g.
a) at Design Time (DT) in an IDE - ex: JDeveloper
b) Post Deployment - using WLST or FMWCTL
One of the questions that pop up from time to time is around when to use what - in this post I provide some guidelines that can help in deciding which is the best methodology.
Before I actually layout some guidelines - we need to discuss a related feature supported in OWSM 11g - this relates to the fact that attaching a policy at DT does not prevent you from changing it post deployment. So (a) and (b) are not necessarily mutually exclusive. The reason OWSM provides this flexibility is in many organizations - administrators (either app administrators or security administrators) decide on the security posture and hence the ability to change the security posture by changing the policy of a Web Service or Web Service Client is an important consideration .
So if your organization is more attuned to the process of standardizing security upfront and communicating it to your developers then developers can secure it at DT, test it early to ensure all aspects are working before the app gets deployed to a testing, staging, production environments. In general I would recommend some level of testing with security enabled in your DT environment. (a) is helpful in those scenarios.
(b) is relevant in two scenarios:
i) you have unsecure apps that need to be secured by the administrators post deployment.
ii) you have secure apps but they don't adhere ot the security guidelines standardized by the organization and hence you need to change the policy attached to the WS/WS Client.
Using WLST vs. FMWCTL:
WLST is more suited if you would like to script things out (in addition some administrators like command line tooling while others prefer a Web based user interface).
FMWCTL is more suited for people who prefer a Web based user experience or for non-scripting scenarios.
In future blog posts I will discuss guidelines around when to use Direct Policy Attachments (or Local Policy Attachments) vs. Global Policy Attachments (GPA).
 In 18.104.22.168.0 - WLS JAX-WS Client support only a programmatic model of attaching the policy to the client app. In this scenario - one cannot change the policy post deployment.