SSO does not negate the LDAP sync - you still need to pull End Users in to the database.
The only officially supported way to support multi-forest on the same cluster is with MS LDS. The problem is that LDS is very poorly understood by most Microsoft admins. You may want to consider the viability of a cluster per-forest and rely on things such as ILS, EMCC, IM&P Inter-Cluster Peering, and CUC HTTPS Digital Networking instead.