Solution is:
in the ws security policy file of the proxy service add in the <RampartConfig> element the child <tokenStoreClass>my.company.TokenStorageImplementation</tokenStoreClass>
then create a class that implements org.apache.rahas.TokenStorage, with custom business logic and put it in the carbon classpath eg: repository/components/lib
I think this is very usefull, because otherwise rampart save all received token in heap memory, so in a production environment this may cause Heap space saturation
hope it helps!