The idea of Single Sign On isn't that you automatically are signed in to multiple things once you are authenticated to one, it is that you use one set of credentials to log into multiple things. Windchill can participate in Oauth to share the same credentials, but if you go to each application on its own - you would still need to log in.
A potential solution (not recommended) would be to authenticate to a proxy and have the applications trust the http header passing the username. This is insecure, as someone could spoof a header and the application wouldn't have any indication you are not the logged in user.
Another option (better) would be to have your IdP use a kerberos ticket to authenticate the user instead of username/password. This would essentially use your computer credentials to authenticate the user (Windows would be automatically set up for this, but some config for macs and linux machines would be required).
Note... if you want the third-party app to communicate to Windchill and act on the user's behalf - you would still have to configure your app(s) and Windchill for Oauth Delegated Authorization.
