Having 2 Directories is in fact contradictory to SSO. You either have SSO and everyone's accounts live ina single location, or you have multiple user repositories, and take on the administrative nightmare.
For example, where I work, we use AD for user authentication. The AD stuff is accessible via MANY protocols, I have Kerberose, LDAP, Cisco TACACS+, RADIUS, PEAP, EAP-TLS, etc, but they all back end on the same database of users in Active directory. That's SSO.
The only other thing you can do, that I can think of, is that if the resources in question are accessible via the WEB, you can try to implement Security Assertion Markup Language (SAML), but that scares the heck out of me. You could also, with some hacking try to make that work with PAM. To best of my knowledge there is no current SAML plugin for PAM, but I had been toying with the idea of writing one (as much as SAML scares me).