In the end my salvation came by using the Sentinet Service Repository which does allow me to virtualize the web service and can include authentication with ACS. It does so using binding configuration and this extract does the job of providing ACS authentication. Note that you need to be using HTTPS protocol.
I've not had a chance yet to add this directly to a web service to see if it works. My hope is that just adding it will be enough and then all I need to do is pass in the user name and password when I call the web service. What ACS will do is produce a SAML token which will be encrypted within the SOAP message.
<issuerMetadata address="https://mynamespace.accesscontrol.windows.net/v2/wstrust/mex" />
<issuer address="https://mynamespace.accesscontrol.windows.net/v2/wstrust/13/username" binding="ws2007HttpBinding" bindingConfiguration="AcsBinding" />
<message clientCredentialType="UserName" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="false" />