mod_osso provides only authentication. The doc says it does not provide authorization. (Access Manager 11gR2)
1. I wanted to know then, in what scenarios would one use mod_osso ?
I have used WebGate on OHS http server and it protected the urls fine, with a configurable policy that included an authentication of user and followed by authorization to access the urls, depending upon user profile.
2. If mod_osso is not providing authorization then who is handling the authorization piece? Clearly appears that authorization handling is left for the admin of the site to take care of (or whoever is responsible for providing Access Management)? Is that correct?
They are not same. You should use webgate for all possible scenarios. Mod_osso is only to be used in places where you cannot install webgate on the webserver or the product is only supported with mod_osso.