A solution document would really be the RSA Authentication Manager setup guide.
RSA Authentication Manager 8.2 SP1 Setup and Configuration Guide
A web tier is: An internet reachable extension of the self-service console, that can do:
-self service functions
-ctkip token downloads
-receive RBA authentications
It saves you the trouble of making the self service console available through the firewall or using your own proxy, if you want your ctkip and self service to be reachable for users who are not inside your network.
The installer package is on the Auth Manager extras download. You pick a new server on your DMZ, (windows or red hat) to install the software. On the RSA primary ops console, you configure a virtual host which is the internet reachable name and address of the web tier, and the web tier itself can be some other name. Then generate a web tier package, and use that to install the web tier.
The primary use most customers use it for, is ctkip software token downloads for android and iphone, and token provisioning.
On youtube there are RSA videos explaining features of RSA Auth Manager self service and they also explain web tiers. Perhaps this is a good place to start.
RSA Authentication Manager 8.1: Self-Service Overview - YouTube
