1. In the Forefront TMG Management console, in the tree, click the Firewall Policy node.
2. In the Tasks pane, click the applicable Web publishing rule.
3. On the Tasks tab, click Edit Selected Rule. (or just double-click rule)
4. On the Listener tab, click Properties.
5. On the Authentication tab, verify that Method clients use to authenticate to Forefront TMG is set to HTML Form Authentication.
6. On the SSO tab, select Enable Single Sign On.
7. Under Specify the Single Sign On domains for this Web listener, perform the following steps for the Web sites for which you want to allow single sign-on (SSO).
8. Click Add.
9. Type the SSO domain for two or more Web sites.
10. Click OK.
11. In the details pane, click Apply, and then click OK.
Note (From TMG Help):
With SSO, users can click a link on a Web page supplied by one Web site and move safely to another Web site without having to supply their credentials again.
Single sign-on is available for Web sites that are published by rules that use the same Web listener. The Web listener must be configured to use HTML forms-based authentication, and SSO must be enabled for it.