The problem is indeed it the POST request. Post request raises CSRF handler on every page that inherits from CMSPage. CSRF validates both page hidden field and CSRF cookie tokens, however since your request is coming from an outer source the tokens will not match.
What version are you using? In version 10 there might be a workaround, that I had mentioned on this article http://devnet.kentico.com/articles/payment-gateways-and-csrf-protection
In v9 though you will need to choose between lower protection and keeping post to the page or you can create another approach, post data to some HTTPHandler and use get to load the page for user.