Hi Grant,
first, this is not related to the SAP NW SSO product but related to the security features of the ABAP system, so you might get better answers when asking this question security forum.
For being able to create assertion tickets, login/create_sso2_ticket needs to be set to 2 (they are usually being used for the scenario you did describe). Please check the documentation on this. Also I would suggest you check the config in client 800, as the config partially is client dependant. As far as I did understand your post, you did run tx SSO2 only in 000 but not in 800.
Also you might want to have a look at this thread on the differences of assertion tickets, logon tickets and re-entrance tickets. Last but not least, there is the note 1257108 - Collective Note: Analyzing issues with Single Sign On (SSO) giving some advice on how to trace SSO issues.
Kind regards,
Patrick