Just a quick question; have you seen the authentication page under Community API?
http://community.lithium.com/t5/Community-API/bd-p/developers-rest-api?page=authenticationThis should mostly have the info you need for this; basically you can pass your sso token as a query param into an authentication/sessions/login api call and get back a REST session key that can be used subsequently to authenticate rest calls. By default this session key will last at most 24 hours, and will expire if it is unused for 30 minutes, but these values are configurable, you'd just need to open a support ticket to get them adjusted. Your diagrams all look pretty good generally, hopefully this info helps getting your service set up. One thing to note is that your login metric will be incremented by the authentication call I mentioned above; I assume this is acceptable and that the important part is that users don't have to hit a community page to authenticate, but it's worth noting.
Btw, I think cookies would not meet your use case because you would need to hit a community page to get the required cookie, and as noted they aren't the best solution for other reasons.
