I made the bulk of the POX and SOAP web services in CICS. (CICS can access both DB2 and IMS). What surprises distributed people is tag names. They are usually generated from language structures, so they look (in our case) COBOL variable names.
In addition, SOAP looks like WSDL says, POX looks like POX.
If you have a circuit, work with it. Do not worry that this is a mainframe or that the data is stored in IMS or DB2, write in the specification.
You might want to ask about authentication mechanisms, as this is another stumbling block regardless of platform. People are usually nervous about unauthenticated access to their business systems, even if that access comes from another part of the same organization. No one wants to create a vulnerable hole in their security.
In our case, when using CICS, we needed a login ID and password for each transaction - basic http authentication in accordance with RFC 2617 . Depending on your policies and procedures, this password may expire on a regular basis. Some organizations allow identifiers without expiration; some do not.
The option that we reviewed but did not implement is SSL certificates. CICS allows you to send a certificate along with the request, and then CICS maps the certificate to the login ID, under which the rest of the transaction is performed. The identifier is verified based on the certificate. This is done in the TCPIPSERVICE definition in CICS.
I understand that I am talking about CICS, and you did not even mention this in your question, but I must believe that you will come across similar concepts / problems. IMS also runs web services, and I seem to remember that there is a mechanism for representing the DB2 stored procedure as a web service. IMS, DB2, and CICS all use the same external security manager backstage.