I've been having the same problem for weeks now. The problem doesn't seem to be at the HTTP level, but at the internal level. Today I use a Python script that receives and processes cXML and sends a Json to my ecommerce. The SAP people say that the punchout catalog link needs to be the same as the API link. Does that make any sense? The response seems to be perfect. Does anyone know if there are any limitations in the structure of the external script?