Raj,
WS-Security vs. SSL says under 'SSL Provides In-Transit Security Only' -
.... you'll begin to realize that the request is only encrypted while it is travelling between the client and the server. Once it hits the server, it is decrypted from that moment on.
To be completely accurately, it might not even need to hit the server to be decrypted. If, for example, you have a proxy server in front of you web server, it is possible that the decryption certificate has been installed there. That way the server can examine the message to determine the correct routing. However, the message may not be re-encrypted before it is set to the web server that will actually handle the request. So now that 'secure' request is travelling along a network in clear text. Granted, the network that is travels along is quite likely the internal one for the company hosting the server. Still, there is the possibility that sensitive data can be picked up.
Regards,
Dan