See To Configure a REST Web Service for more information.
When a web page script tries to invoke a service, the Same Origin Policy (SOP) is applied. If the service is hosted by a server other than the one the script was downloaded from, the script is not allowed to process the response unless the response message from the server indicates that it trusts the client. This is a security feature implemented in all of the major browsers, to prevent malicious scripts from performing actions on other servers that the user has access to. The SOP will block scripts from using the results of CICS REST web services, since Enterprise Server for .NET is not the server the script was loaded from.
CICS can tell the browser that the script is allowed to use the results of the service by setting the Access-Control-Allow-Origin HTTP response header. The value of the header can be the origin of the web page making the request, or the wildcard *, which lets any script invoke the service. The origin of a web page is typically the first part of the URL used to fetch it, such as "http://example.com"; it should match the value of the Origin header in the request made by the script. It may be easier to simply set the * value, though this can be a security risk if the service can be accessed by untrusted clients.
Similarly, it is generally useful to set the commarea response encoding attribute to "text", to indicate that the transaction program's response should always be treated as a text string.