Hi Tim,
Possibly you need to distinguish between something which was found to be available and something which is supported (and will remain stable)?
However there is a known limitation to SSO2 tickets which can be frustrating if you don't know it -> some folks switch the user types to SERVICE so that they can avoid password rules and even license costs. but this also has the implication that authentication as a system service does not issue a tivket for the browser of the end user (even if that is the real person...).
There are even a few business applications which respect the user type.
I would check that as the first point of call.
Cheers,
Julius