/ws/1/entitlement/decision is a deprecated interface, so I'm not sure how keen we are on digging into this part of OpenAM. But...
... while working on some documentation, I set up a basic policy to allow access to all authenticated users to http://www.example.com/*. I observed the result with /ws/1/entitlement/decisions saying HTTP GET was allowed on http://www.example.com/index.html. Yet, I saw this endpoint returning deny repeatedly for that resource.
Was expecting allow.