I've been looking at SSO (why I mentioned JAAS) but it just seems like overkill, and a lot of effort.
Not really and not always. If you're using WebLogic, take a look at IdentityAssertionProviders, they are easy to implement and won't require any code changes on your app side. Other containers might have similar solutions.
Regards.