I had this same issue. It is possible however. As you have probably found out, it is very easy to set up a call in Java or even SoapUI because all of the WS-Security is either built in or is available in a library. When doing this from PL/SQL, you must build the WS-Security Headers by hand. However, This is very simple if your endpoint is expecting Username Token Authentication.
EXAMPLE
This example is a snippet from the function that I employed to build the SOAP Envelope to make a web service call to an endpoint in WSO2 ESB.
FUNCTION getSoapRequest RETURN CLOB
IS
lUserName VARCHAR2(100) := 'myuser';
lPassword VARCHAR2(100) := 'mypassword';
lSoapRequest CLOB;
BEGIN
--Get your Created and Expiration Timestamps for the Token (In this case it is 3 minutes)
SELECT TO_CHAR(SYSDATE + (4/24), 'YYYY-MM-DD')||'T'||TO_CHAR(SYSDATE + (4/24), 'HH24:MI:SS')||'Z'
,TO_CHAR(SYSDATE + (3/1440) + (4/24), 'YYYY-MM-DD')||'T'||TO_CHAR(SYSDATE + (3/1440) + (4/24), 'HH24:MI:SS')||'Z'
INTO lCreateTimestampString,
,lExpireTimestampString
FROM dual;
lSoapRequest :='<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:Cisco_IncidentCreateWS_ext">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-14">
<wsu:Created>'||lCreateTimestampString||'</wsu:Created>
<wsu:Expires>'||lExpireTimestampString||'</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-13">
<wsse:Username>'||lUserName||'</wsse:Username>
<wsse:Password Type="wsse:PasswordText">'||lPassword||'</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
…
</soapenv:Body>
</soapenv:Envelope>';
RETURN lSoapRequest;
END getSoapRequest;