I will hit a few of the easy ones here first and then tackle the others...
Keychain sees the CAC card and typing in the pin there unlocks the CAC card.
We provide the ability to unlock the Smart Card via Keychain Access, but there is no need to. Anytime the OS services need to use your Private Key on the card or display the PIN protected data on the card, you would be prompted for the Smart Card's PIN (It will ask for the Keychain's Password -- and since the Smart Card is a Keychain, the PIN == Password referenced in the Dialog). As long as you do not remove the Smart Card, you will not be prompted again for the PIN. That decision is determined by the ACLs (Access Control Lists) on the objects stored in the card and the CAC does not provide an ACL to require PIN entry on every use --- hence the reason you were not prompted again when using Safari.
You create Identity Preferences to access PK-enabled Services -- only if the site is configured not to require Certificate-based authentication. Otherwise, if it is configured as requires, Safari would prompt you for which certificate to use from the card and automatically create the Identity Preference for you.
Adjust the URLs you are referencing in the ID Prefs to match the Real URL of the Server where Authentication is taking place and also note that you should "usually" use a trailing "/" at the end (but recent NMCI changes alter that for those folks).
This one appears to be correct, but of course I have no way of verifying without a valid CAC and access.
Maybe someone else within SPAWAR using Mac OS X can verify what URL is correct for this one.
Also, be sure that if you are using the correct certificate to authenticate to the web services. Which one to use is determined by the configuration of the site.
Safari doesn't prompt me for the pin.
As noted above, if you have unlocked the Smart Card (keychain), you will not be prompted again unless you remove the Smart Card from the reader or your system screen saver kicks in or system goes to sleep.