OAuth call from Apigee to the backend service that issues access token

Hi,

We had an unsecured SFDC API which we have secured using Apigee. We have built a 2-legged OAuth proxy for the client to get the access token from authorization server and then a proxy for this SFDC API which issues a proper response after the client access token has been verified. We have bundled 2-legged OAuth Proxy and SFDC proxy into a product. Everything here works securely as expected with Apigee, however the back-end SFDC API is still accessible if we call the API with direct URL. In order to eliminate users directly accessing the SFDC API, we are trying to implement the OAuth Authentication at SFDC. So with this implementation the desired flow is that after the first leg of authentication within Apigee, it should call the SFDC OAuth endpoint by passing the client credentials & Username/password and SFDC OAuth endpoint will validate the request and issues an access token. We will then use this access token issued by SFDC OAuth endpoint and make a call to SFDC back end API (Apigee Proxy) by passing the access token within the header to access the information. I have the following questions regarding the implementation:

1) SFDC doesn't store the access tokens issued in its cache. It will just issue an access token and time it issued and at Apigee we should store this token in its cache and re-use it for subsequent calls and when the access token is expired we should make a cal again to SFDC OAuth endpoint to issue an access token.

2) Can we implement this using extensions provided by Apigee? If so could you please direct me how to implement it?

3) Instead exchanging client credentials and username/password to get access token can we employ certificate based authn to get access token from SFDC endpoint?

I am looking for any suggestions on how to implement this and best way to implement this. Could anyone please help me?

Thanks,
Rakesh