I don't quite understand, but it sounds like there are 4 servers involved here:
1. A proxy server linking to Tomcat
2. The tomcat server
3. webservices server #1
4. webservices server #2
It seems to sound like maybe webservices server #1 also is fronted by a proxy server, possibly the same one proxying for Tomcat, but possibly not, but in either event, requiring proxy credentials. Whether webservices server #2 is proxied doesn't matter, since there are no proxy-related credentials.
I don't think Tomcat itself has any specific parameters that have to be set to make it proxied. At least in my case there aren't, although I let Tomcat handle its own security, not my proxy server.
For the web services, what really counts is what security credentials are supplied when the web services are invoked. That is being done by the webapp, and part of the application program's logic should be to supply whatever security tokens are needed as part of their interfaces to the web services. Thus, it is the responsibility to ensure that suitable security tokens are provided on a per-server basis when invoking foreign (webservices) servers.
Customer surveys are for companies who didn't pay proper attention to begin with.