SSL/TLS encrypts at transport level; WS-Security encrypts at message level. SSL/TLS provides in-transit security only. This means that the request is only encrypted while it is travelling from client to server (or back). ... WS-Security maintains the encryption until the moment when the request is processed. SSL/TLS secure messages at HTTP level whereas WS-Security at XML level. In performance-wise SSL is very much faster than WS-Security.
Please note that REST-based WebServices inherits security measures from the underlying transport level security.
Limitation with SSL/TLS
1. SSL/TLS is at point-to-point whereas WS-Security is at end-to-end, where multiple intermediary nodes (WebServers, Load balancer, proxy server etc) could exist between the two endpoints.
2. SSL/TLS does not provide Know-Your-Customer (KYC) whereas WS-Security provides this feature.
3. SSL does not provide element-wise signing and encryption. For example, if you have a large purchase order XML document, yet you want to only sign or encrypt a credit card element, signing or encrypting only that element with SSL proves rather difficult. Again, that is due to the fact that SSL is a transport-level security scheme as opposed to a message-level scheme.
We can configure transport level security and message level security without configuring SSL/TLS at server level then you need to configure SSL/TLS WSM policy at WebService level for example oracle/wss_http_token_over_ssl_service_policy.