When attempting to run TEWS calls against one environment the calls fail with 'not authenticated' even though the user has the rights to the task in IDM itself. 

From the IDM code base where TEWS requests are handled, if there is a null for SM_SERVERSESSIONSPEC, then you will get a not authenticated message. The problem is that no SM_SERVERSESSIONSPEC is generated for that User by SiteMinder/SSO, the generated SM_SERVERSESSIONSPEC is grabbed from the request header by IDM.

Contact your Siteminder (SSO) administrator and ask to ensure the SM_SERVERSESSIONSPEC is set and passed to the protected resource (the IM TEWS URL).