Hi!
Depending on the situation and the requirements, I would consider a mediator service that uses
SOAP web service to communicate with the SAP server and, for instance, JSON to communicate with the mobile device.
Such a mediator service can easily be set up using existing integration frameworks/tools.
You should be able to tell from the WSDL of the SAP service whether it uses WS-Security or not. If it does, there probably are WS-Policy data in the WSDL.
Best wishes!