What you want to do, I think, looks something like this:
Client
so that, for example, a client can access server B without knowing the password that server A knows.
If so , you can do something similar, but not quite what you want (which may be something like OpenID, although it is allowed with OpenID).
You can have server A doing POST and receive a response and send a response to the Client. Unfortunately, you probably cannot set cookies (they will be valid for subdomain A, and they will no longer be sent to server B), and sessions will probably not work for similar reasons.
Perhaps you have server A acting as a full proxy server: see this answer How do I remove the contents of a website in PHP from a website that requires a cookie? .
Payment gateway
Most banks have an API to do just that (Paypal, even this is not a bank, does , and therefore WorldPay ).
One possible workflow is to send all the data to a bank that responds with a unique identifier. Then you either show all the information yourself, or (especially you prefer banks), the bank shows information to customers when you redirect them using a special URL and a unique identifier.
The client can change the data in his form, but all he gets is to abort the transaction, because these two copies of the data are no longer consistent, and he can not touch the copy you sent (other methods and workflows exist).
If your system works in accordance with this document flow (or similar) and uses its own API for the bank and the proposed methods, please ignore and accept my apologies: you are doing it right. But just in case, if not, well, please think about it.
Trying to create your own cURL workflow is probably possible (for some banks it is definitely possible), but is suspiciously close to turning over your own cryptography , it will probably be less supported by the bank, and may cause some abnormal detector on the banking part (just to bring it, a lot of payments, it seems, will come from the same IP address or range).