Are you using ForgeRock agents to protect your resources, aside from IG protecting AM itself? If sl, cross-domain single sign-on is supported by these agents. You don’t say what AM version you’re using, but CDSSO well-documented for all versions of AM and the agents. An old but good overview of how CDSSO is implemented can be found on @peter-major’s blog at https://blogs.forgerock.org/petermajor/2014/05/cross-domain-single-sign-on/. In later agent versions the mechanism has changed, but the basics have not.