Vittorio wrote an excellent article Secure ASP.NET Web API with Windows Azure AD and Microsoft OWIN Components.
When I tried to do this, ran into two problems.
Firstly, we have a *&&^%^%%$ corporate proxy - I HATE them.
So had to add the following to the test client in the web.config or app.config:
system.netInsert your own xml start / end format!
defaultProxy enabled="true" useDefaultCredentials="true"
proxy bypassonlocal="True" usesystemdefault="True"
Secondly, got the error:
"System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure."
In Vittorio's example, he uses localhost for the web site as did I.
You have to ensure you have no certificate errors when you browse to localhost - you can check that in IE - the certificate box should NOT be red.
If it is, just click it and run the wizard to import it into the "CA Trusted Root" area.
Also, make sure that it has not expired!