Here is the problem. By default, WSE defaults th encryption method to RSAOAEP which is more secure. However, on Win2K, RSAOAEP is not supported, so WSE defaults to RSA15
on this platform.
You can verify this by looking at the trace files you mention above: The WinXP one will have RSAOAEP whereas the Win2K on will have RSA15.
To fix this, you need to change your server side to accept RSA15 and change your client on WinXP to speak RSA15 as well.
You can change this in your configuration file by doing:
<add valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
<keyAlgorithm name="RSA15" />