A proxy user, not a proxy server, is required.
The proxy user must have administrative access to CA Service Desk Manager (SDM) so that it can invoke the impersonate() web services method for the purpose of restricting access to the SDM object layer data according to the USS end user's data partitions.
In other words, the end user that is using USS, connects to USS, USS then does SOAP calls to SDM as casmadmin and proxies the end userid to impersonate that user. This way all data is restricted to what the end user can see via the SDM object layer.
As in other out-of-the-box SOAP Web Services Access Policies, enabling Allow Impersonate and specifying a Proxy Contact is necessary not only for USS, but also for Visualizer and other components.