Plone's session plugin (--> plone.session.plugins.session.SessionPlugin) is based on tktauth -- an SSO mechanism which works exactly as you describe it: via a cookie managed by any service component in the same domain.
By default, the session plugin (--> acl_users/sessions) is configured to operate stand alone. But, you can easily reconfigure it to cooperate with an external authenticator: for this you would need to define the cookie name and the shared secret used by the external authenticator.
Of course, direct use of Plone session plugin would require the use of tktauth as your SSO mechanism. If this is not the case, then you could either emulate the approach of Plone's session for your SSO mechanism or use a PAS plugin that takes authentication information from the Web server (and use a plugin there compatible with your SSO mechanusm).