@RamaKrishna , Great Questions, Please find answers inline.

• Apart from Oauth2 does APIGEE support ws-security mechanism(send base64 encrypted cred in soap header)?
  • Yes, Apigee does support ws-security mechanism. Construct base 64 encrypted credentials using Basic Authentication Policy & Add it to SOAP Header using Assign Message Policy or Using one of the extension policy like Javascript Policy.
• Can we set CORS rules to permit set of cross domain origins?
  • Yes, You can do that. You can compare the request against set of valid domains using Javascript in Apigee & Then use CORS policy with a reference variable to allowed domain. See example here.
• what all are the possible transformations ? is it possible to mapping/restrict response fields(inpayload) from target endpoints?
  • Yes, You can do any transformation of request & response in Apigee Edge. You will have full control of request & response.
  • Use mediation policies / extension policies like javascript or java to modify the response payload & add / remove response payload fields.
  • Out of the box transformations include JSON2XML , XML2JSON. You can extract information using extract variables policy & modify the payload using Javascript, Assign Message Policy.
• Is it possible to setup alerts if the configured target endpoints are not available. Something like to check the health of the target endpoints?
  • Yes, It's possible. Find out more about same here.
  • You can implement a custom solution to send out email / any other alert in response pipe line. Similar thread here.

Hope it helps. Keep us posted if any.