Currently your best option is either a data group listing of credentials, encrypted if necessary, or an external lookup (query). The question then comes down to the management of each. If the CMS product requires a unique credential for each user, and you don't mind managing those credentials ON the BIG-IP, then a data group may be sufficient. Otherwise you can store the CMS credentials in account attributes in some local directory service (also potentially encrypted).
If, however, you're talking about how technically to achieve SSO with static username and password variables, in the access policy simply set the required session variables that the SSO profile will consume. For form, Basic, and NTLM SSO, the default session variables are
session.sso.token.last.username and
session.sso.token.last.password. These SSO profiles also require the password to be in encrypted form, so you'll need to set the "secure" option in your variable assignment.