I know that JBoss+Tomcat supports this. Basically, the
JBoss application policy is defined as a realm backed by a JAAS LoginModule (this can be custom code, or one of the provided LoginModules) -- then you configure single-sign-on in the tomcat-service.xml. There is a
thread on this subject in the JBoss forums.