Are you talking about the payload/body? The entire message can not be encrypted.
I don't know of any published docs or best practices. The entire encryption over REST is pretty much roll your own. Pega just supports the transport level security which only covers SSL initiation to termination.
Have you looked at JWT (JSON Web Tokens)?