I was exactly in same boat as you until two weeks ago and i can tell from first hand that you can do this with Java*.
I put an astrik up there because it will work in a J2EE environment but unfortunately the same jars(rampart libraries) are used by webMethods internally(some wrapper classes) and when you import the external java program in to webMethods you will get a jar conflict and can not resolve them.
As far as i know SAG does not provide anything out of the box to generate this content(WS Security header) and i have ticket to prove that . My suggestion would be use a policy file to generate this content.
Another option if you have CS-Mediator is to apply a security policy matching your requirements on a virtual service and that will generate a policy file in the Virtualized WSDL. You can copy paste this policy information in to a file and then use it on the WSD in webMethods. Of course this is doing things backwards but will get your job done.
By default the policy will be applied to input,output and fault on the WSD. If you want this policy to take affect only for outgoing soap request then just apply it on the input.