If I remember right, jForum parses the URL to extract it's own parameters (e.g. module, action, and the like). I think there was a bug in the 2.1.7 that would cause it to drop extra parameters but I thought it was fixed in 2.8. You might look at the WebRequestContext code to see if this is working correctly.
Also, the SSO model first uses isSessionValid to determine the user status. It only calls the authenticate user method if a login screen is used. Are you checking for your autologin parameter in that method too?
Note that every request will call isSessionValid. So you will need a way to validate the session after the initial call with your URL token. E.g. session variable or cookie. [originally posted on jforum.net by monroe]
The jforum.page already jumps to action list of module forum as far as I remember. If you wish to overwrite this, you have to delete the old action and old module parameter on the jforum side and set the new action and module. Why you have to delete ? Because it's now a "bucket" which would allow multiple actions, which then results in weird behaviour ;)
had to adapt my code for 2.1.8 a bit there.
I've implemented the SSO to pass along username, email, group-id, aswell as a timestamp and cipher - to ensure there'S no way to get into the forum without permission.