I get asked this question quite a bit about using different single sign-on software. People always want to know which one I prefer and with which web server. There is a standard response and I will explain it.
Single Sign-On applications are all restricted to use the same web server and applcation server api that every other vendor must use. So in a nutshell there isn't and never really has been a huge difference in how the products protect content. The difference in the applications is seen in the user interface and in their policy engines. Some are easier to use to protect a url. Some allow you to connect to a relational database. The webserver "agents" are probably very similar code because they must hook into the defined api where the content exist. This also meanst that all of them create cookies and all can pass header name value pairs to protected applications. Keep this in mind when making purchasing decisions. Don't focus on the applications and the web server technology. Try to examine the features and funcationality of the policy/admin server portion of the software.