To enable encrypted tokens with Web API, I found this helpful: http://www.alexthissen.nl/blogs/main/archive/2011/07/18/using-active-profile-for.aspx
Towards the end you'll see code setting the ServiceTokenResolver property on the Configuration property of a SecurityTokenHandlerCollection using a X509 certificate from the LocalMachine store. The Configuration property is a SecurityTokenHandlerConfiguration, which is one of the parameters to an overload of the AddSaml2 extension method in AuthenticationConfigurationExtensionsCore.cs from the ThinkTecture.IdentityModel source. The below is what I ended up with.
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(Constants.IdSrv.SigningCertThumbprint, Constants.IdSrv.IssuerUri);
var handlerConfig = new SecurityTokenHandlerConfiguration();
handlerConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
handlerConfig.IssuerNameRegistry = registry;
handlerConfig.CertificateValidator = GetX509CertificateValidatorSetting();
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certificates = store.Certificates;
X509Certificate2Collection matchingCertificates = certificates.Find(
X509FindType.FindBySubjectDistinguishedName,
"CN=RPTokenCertificate", false);
X509Certificate2 certificate = certificates[0];
List<SecurityToken> serviceTokens = new List<SecurityToken>();
serviceTokens.Add(new X509SecurityToken(certificate));
SecurityTokenResolver serviceResolver =
SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
serviceTokens.AsReadOnly(), false);
handlerConfig.ServiceTokenResolver = serviceResolver;
authentication.AddSaml2(handlerConfig,
AuthenticationOptions.ForAuthorizationHeader(SamlScheme),
AuthenticationScheme.SchemeOnly(SamlScheme));
Hope it helps.