I've just used this myself for the first time, and here's how I did it.
I had an existing recommendation form that has two universal email functions in it (one for creator, one for recipient), and it also posts into a database the content entered in to the form so the site administrator can see what content is being looked at by site users.
What I have done is add the captcha and do the server validation on the form page. When there is an error in the captcha code, I simply redirect the user to a simple html page that says: 'There was an error in the security code, click here to go back.' (a javascript history back -1).
Basically, the captcha coding needs to be added entirely on the form page as far as I am concerned... I might be wrong, but that is the way it is working for me.
Hope that helps.
Mat