Yes, J2EE/JEE - including Tomcat - do support Single Signon!
Any webapp that employs
J2EE Container-Managed Security will automatically run in an SSO environment.
Tomcat uses plug-in modules called Realms to manage the interface to external security services. The most popular SSO Realm is the CAS Realm, which comes from Yale, I think. I don't know if it has specific hooks into OpenID Connect, but if not, it's not chances are that there is a Realm module available from somewhere that does. Or you can always write your own.
One thing to note is that in a Windows shop there can be 2 types of "single signon". One is where you log into your Windows workstation and your login identity is carried over to the in-house webapps. The Linux/Unix equivalent would be to use Kerberos. However in a rare fit of security consciousness, Microsoft didn't enable this in Internet Explorer by default (I can't speak for Edge), so a registry setting must be changed for every workstation that wants to take advantage of it.
The other type of SSO (which is probably what you're looking at, if you're using OpenID) doesn't use the Windows authentication system - it establishes an Internet security Realm for all participating applications. In that event the first attempt at accessing a secured resource on any app in the Realm would trigger a request for login. This allows users who aren't on the in-house LAN (and may not be running Windows at all) to enjoy SSO benefits.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.