The problem sounds like is that the WAP is redirecting a request with a valid token, this shouldn't happen.
CORS on ADFS is if you want to make CORS calls to ADFS. This doesn't sound like what you want. Once the session has been authenticated, you shouldn't need to contact the ADFS server as long as the cookie or token is there.
I do have a question about the Windows auth you mentioned, are you talking about the legacy Windows auth with NTLM where there is no token or cookie involved? Or is this claims Windows where you get a fedauth token? Are you using the S2S token helper method with the Windows identity to get the token?
If you have to authenticate against the WAP from JS code running in the browser, that would mean you would have to write the code to maybe ask for a page first to handle the redirects for the WAP auth. Then once that is all working, then make the real AJAX calls to get the SharePoint data.
This wouldn't be an issue if the calls aren't done from the browser since you can set up the proxy on the call in C# code, but you can't do that from the browser.