Hello Alexander,
i also would say that the client is a solution for our problem. It will solve the topic of mixed authentication methods between DIAG/SNC (Windows Kerberos DLL) and HTTP/S (Certificates) protocols. And i guess it will be the easier to implement way.
The major difference is, that the client needs licenses. 
. If i can provide a SSO solution, which costs "nothing" i would prevere it before a solution which costs ~100k€ for the whole company.
We have a good experiance with the SSO Solution for the SAP GUI (SNC with Kerberos), but no solution for HTTP/S traffic.
Regards
Manuel