A realm determines the scope of security data. A realm is the region to which a security ID or permission applies. A user defined as "John" in one realm is treated as different from "John" in a second realm, even if these two "John" IDs represent the same human user.
When using an LDAP directory service as the authentication mechanism, the WebSphere security administrator can enable Single Sign-On (SSO), as described in the property help for setting authentication mechanisms. Enabling Single Sign On tells LTPA to store extra information in the tokens so that other applications can accept clients as already authenticated by WebSphere Application Server. When clients try to access the other applications, they will not be interrupted and asked to log in.
To provide an example of Single Sign-On behavior, suppose a user at a Web client tries to access resources in a realm and is prompted to log into the realm. The user logs in successfully.
Now if the user tries to access a resource in a different realm and Single Sign-On is not enabled, the user will be prompted to log into that realm. Note, another necessary condition is that the challenge type for the application the user is requesting prompts for a login (it is a Basic challenge).
In contrast, if Single Sign-On is enabled and the user who already logged onto WebSphere security tries to access a resource during the same browser session (whether the resource is in the same WebSphere application realm or a different realm), the user will not prompted again for the user ID and password.