I am currently working on a solution including apigee as the API gateway and Forgerock OpenAM as the Authorization server. We were thinking of using service callouts in apigee to validate the access token generated using the OpenAM system. However, I am confused about the following quote from the apigee oauth documentation:

A common use case is where you have an existing OAuth system in place, and you would like to use the tokens generated by that system with Apigee Edge. On the other hand, if you want to take advantage of Apigee Edge features like Edge Analytics, the developer app ecosystem, developer portal, and so on, you need to use tokens that were generated with Apigee's OAuth system. This topic explains how to configure Apigee Edge to work with third-party (non-Apigee Edge) OAuth systems.

Here is the link to the documentation: http://docs.apigee.com/api-services/content/use-third-party-oauth-system

My question is: What exactly do I lose if I don't use the apigee oauth v2 policies and configure my own callouts to validate the access tokens? My current design is that apigee will only verify the client key to validate the app and all the user verification and authentication will be handled using callouts to openam. Is there something wrong with this design when it comes to apigee? This is something I have done successfully using other API platforms like Axway.