It seems as though your problem lays with the Token Encryption Policy, and the security required therein...
"Token Encryption Policy
The Token encryption policy determines whether the tokens that ACS issues for the relying party application are encrypted. To require encryption, select the Require Encryption value.
In ACS, you can configure an encryption policy for SAML 2.0 or SAML 1.1 tokens only. ACS does not support encryption of the SWT or JWT tokens.
ACS encrypts SAML 2.0 and SAML 1.1 tokens using an X.509 certificate containing a public key (.cer file). These encrypted tokens are then decrypted by using a private key possessed by the relying party application. For more information about getting and using encryption certificates, see Certificates and Keys.
Configuring an encryption policy on your ACS-issued tokens is optional. However, an encryption policy must be configured when your relying party application is a web service that is using proof-of-possession tokens over the WS-Trust protocol. This particular scenario does not function properly without encrypted tokens." Taken from here