I recommend using the J2EE standard container-managed security system. An SSO security system that is, instead, applied as internal app logic is a logistical nightmare in the offing, since any changes to the global security environment could immediately affect application logic. Besides which, I still haven't seen any user-designed security systems (SSO or otherwise) that had any creditable security even after all these years.
To provide SSO at the container level, you'd need to provide an SSO Realm to the container environment. Whether you use an existing one such as CAS or construct your own doesn't really matter. Other than, of course, the fact that if you roll your own, you have to design, code, and implement the mechanisms that allow the Realm to authenticate and authorize via whatever central security facilitie(s) you tap into.
Customer surveys are for companies who didn't pay proper attention to begin with.