From what I've found, this can't be done without heavy modification of LiveCycle and the built-in Apache server. But a workaround I found was to turn on LiveCycle Single Sign On instead. So I'm not doing "true" Kerberos delegation but this can meet our business requirements.
SSO works for both HTTP and SOAP requests.