So you have a server and users. Users perform digital signing of data on their systems. Timestamping is done together with signing (it proves the signing time). Timestamping is performed by trusted thirdparty TSA (Timestamping Authorities). The code which will do signing will contact the TSA (usually using HTTP or HTTPS protocol) and timestamping will be performed that way. TSA's certificate is included with the timestamp so that the timestamp can be validated later.
Now about technical side. For web application your best option is to create an applet or ActiveX control which will be downloaded to user's browser and which will do signing.
Our company offers pre-created solution for this, and I described it in details in this answer.
Of course you can let the user download the document and sign it using Acrobat stuff or some other client-side application, then upload the document back. If you decide to write such application yourself, you would need signing components, eg. IText or our SecureBlackbox.