Sounds like you are missing a common Business tier
Well yes, that's the general idea of what we're trying to fix.
An "authorized user" is tracked in the Business tier and once authorized, they do not need to login again for the other "web apps."
Yes...What code/server changes are involved in making this happen? As I said, all the examples I've seen are single-action command line things, nothing saying HOW an app learns that a user is already authorized, nor how to determine their authorized role.
Individual security modules coded within each "web app" will prevent your attempts at SSO from working.
Again, we're trying to fix this, but we want to do it piecemeal. Convert apps A and B to use the common auth system while C and D don't (yet).
Your answer is exactly the sort of thing I've been finding: high on theory, low on implementation details. I'm sold on the theory, but I can't find any example of how to implement it (aside from the previously mentioned command-line examples) I'm sorry if I explained it poorly the first time around, but I've been googling and reading buzzword-laden papers for 2 days and I'm not much closer to an implementation.