the general idea is this, the user tries to login into your application via a browser. the BIG-IP with APM is before your application. the APM sees this access attempt and shows a logon page. there the user enters its username and password manually. after these are validated the traffic is send through to your application. i assume your application doesnt do anything with authentication itself so the single sign on question is kinda unclear.
in this case you would use the APM+LTM model were things like webtops and such aren't used. you just add your application webserver in a pool and attached it to a virtual server (both BIG-IP terms) and add the authentication which when successful simply allows access.