There's already a tried and tested, secure single sign-on protocol available: namely, Kerberos.
There isn't time in this talk to go into all of the details; see the links at the end for more information.
