Thanks Tim, yes indeed the token will be riding on the unprotected DIAG protocol.
As for selecting the client via the Portal method, you normally pass the client parameter as part of the transaction iview. So technically you can select which system and which client.
As for the other comments I have, Id be interested to continue the discussion. I'll drop you a message!