Incidentally, some time ago I mentioned several options for single sign-on. These are also projects that support generic authentication layers on top of any application; one of the goals at Imaginary Landscape is to consolidate logins for all kinds of content -- Zope, Webware, PHP, Perl, and static content. And to do it with reasonable usability, which most Apache authentication does not provide.
In the end I dropped Pubcookie as too complex, and we're using mod_auth_tkt. This has a documented authentication ticket format that anyone can generate (based on a shared secret), and just enough features to support things like groups, without any extra features that you'll have to work around.
There's still a lot of infrastructure to build up around it to support a "full" user system, but I feel confident at least that it is a good foundation.
We're looking to do something similar at Zenoss. I've been busy with setting up the LDAP infrastructure, but one of my next tasks will be recommending a solution for the single-sign-on portion.
Did you ever make any good progress with mod_auth_tkt?