OTP with SOAP messages and swing client

[dim () colebatch com]

I have a swing client that communicates with a server via soap messages.  The powers that be have decided that for 
access outside the trusted network a higher level of authentication is required and at this stage we're looking at 
using SMS messages to distribute one-time passwords (there are also webapps that will use this and they are obviously 
easier to integrate with this sort of thing). 

At the moment we use a dodgy WS-Security header with username and (woo hoo) base64 encoded password in the soap header 
(transmitted over https).  Obviously this approach doesn't work with OTP.

What I'm thinking is something like the following:

1. User requests OTP via some mechanism where they provide username/password, server creates a nonce and a secret and 
sends it to their pre-configured mobile number via SMS
2. User enters said nonce and secret to client
3. App stores secret and nonce

With subsequent messages we then have the following:

4. Client combines 'current' nonce and secret and generates a hash based on them to send to the server as auth
5. Server does auth check based on username/hash provided
6. Server responds with new nonce in the header along with the rest of the soap document response
7. Client stores new nonce for next message

Steps 4,5,6,7 can then be repeated forever without exposing ourselves to replay attacks.

At a glance, this seems ok, but of course these things shouldn't be done at a glance and it concerns me that I'm 
combining bits of this and bits of that - surely there are smarter people than me who have already been through this?  
I must be asking the wrong question because my googling so far turns up OTP stuff which is all nice and easy when 
something else is taking care of the session (which thinking aloud would still expose a webapp to a replay attack 
within the "session"), but doesn't really apply with a stateless protocol.

Any ideas on this?

cheers
dim

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------