I'm not sure of OAM intricacies but just a high level thought on SSO with ATG. I think you can probably add a custom filter to check the presence of auth cookie and process that cookie and also enable BasicAuthenticationPipelineServlet in the servlet pipeline. The cookie usually would not be containing a lot of data, its value may contain stuff like account/user-id, a timestamp to know when authentication happened and a trusted signature. You would then have to customize BasicAuthenticationPipelineServlet so that it uses custom authenticator rather than the default OOTB BasicAuthenticator implementation. In your custom authenticator you can use the cookie information to handle SSO login and make user logged-in into ATG. There might be a possibility of using a composite profile repository approach also which you may assess based on your requirements.