There are different approach you can do.
WLC you can use Certificate to get in to network.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/High_Availability_DG.html
Once user in network with certificate, user can login used AD authentication to populate the domain permission / profiles.
Web - if the proxy is capable of LDAP integration this will automatically taking care of SSO.
Any connect also work with LDAP with remote access profile with LDAP.
Each integration is different, you need to work on each one to deploy 1 at a time and test it.
Make sure you have test environment to test before move to Production.
BB
BB