I am thinking of using the tomcat org.apache.catalina.authenticator.SingleSignOn valve for my single sign on, as documented here
If I go with this approach, what would I need to do to my applications if I decide to move my application from tomcat to another web container such as jboss, glassfish, weblogic, or websphere?
The good news is that Tomcat's SSO shouldn't require you to change anything about your webapp. That means that your webapps are still fully-portable -- at least individually.
If you want to move to, say Websphere, you'll have to figure out how to use that container's SSO mechanism.