Yes you are correct that a single signon handler would be a good approach. I have built similar implementations in both cross-domain (a.com, b.com) and root-domain (sub.a.com, sub2.a.com, *.a.com) environments.
It really depends on how you store your cookies - there was recently an enhancement for eZ Publish which should come out in 4.4 which allows you to specify the domain name you wanted stored for login cookies - then it's a matter of building a suitable SSO handler to meet your requirements.
In your case with multiple different domain names you will need an intermediate domain that handles all authorisations via redirects to that domain to check the auth cookie - then you need to redirect back to the requested domain and set a login cookie for the specific domain.
