I'm looking for gotchas, pointers, samples and other things I can use to learn how to do this.

• don't do the XmlHttpRequest's yourself (use a mature, robust, cross-platform wrapper. eg: Dojo.io)
• don't bother with REST, you'll depend too much on the webserver accepting non-"standard" request types.
• do use JSON or SOAP (I'd say JSON as most browser SOAP implementations are not well done)
• do perform request validation on both the client and server side (on the client to help the user, on the server for security)
• do make sure to implement some form of sequencing in your session-management so that service replies aren't handled out-of-order by the client (if that's a problem)
• do handle exceptions on the server side gracefully, all client-side submission Javascript should be ready to handle an error condition (not related to HTTP)
• don't use synchronous AJAX calls under any circumstances as they have extremely poor robustness in most browser implementations.
• do make sure to use a tool like FireBug in order to debug (and profile) you're AJAX requests.
• do show the user some useful indication that the server is doing something; robustly handle error conditions so that the user-interface never hangs.
• if the user shouldn't double-click (or some other form field interaction), make sure they can't.
• if possible, detect old/phone-based browsers and redirect them to an "old school" form on a different page.

-David.