The goal is to not have the users ever log into Okta to update/reset/set security questions.
Yes you can create a seperate standalone web interface using Okta API's. Check developer.okta.com for API information. Here is the API test client where you can get familiarize with Okta API's. http://developer.okta.com/docs/api/getting_started/api_test_client.html
In addition, we would want to control all emails sent from our servers as opposed to Okta servers, e.g. password reset.
If you build your email flow on top of our API. Yes you can have your servers send the emails instead of ours.