Third party authentication (which is basically what you're wanting) works
through token passing. The sequence goes something like this:

1) User clicks a button on your site to log in using a third party (
http://www.yoursite.com/login).
2) Server connects to the third party to get a time-limited
"authentication" token that will allow authentication and redirects the
user to that third party (http://www.sharedloginserver.com/login?authtoken=x
).
3) Third party site checks the token is valid and if so presents the login
form.
4) User enters their credentials and clicks the login button (POST to
http://www,sharedloginserver.com/login?authtoken=x).
5) Third party site validates the token and the user's details, and if all
is correct will generate a "logged in" token, also usually time-limited and
redirects the user back to the original site (
http://www.yoursite.com/login/success?authtoken=x&loggedintoken=y).
6) Your site contacts the shared login server to verify that the authtoken
and loggedintoken are both valid, and if so logs the user in locally.
7) From this point on there is no need to contact the third party's server
unless you need to re-authenticate the user.

In your scenario you would want to set an encrypted cookie on
www.sharedloginserver.com that provides it with information about the login
against yoursite.com so that it can decide whether it needs to show a login
form for login to www.anothersite.com or simply create another
loggedintoken for it.

Hope that makes some sort of sense.

As far as existing code to do this I've never come across anything, but it
may well exist in implementations of openid. It's fairly straightforward to
build.

However, having read back what you wrote that doesn't actually appear to
apply here. Will your different UIs be on different domains? If so, why?
You could easily have uk.yoursite.com, us.yoursite.com, au.yoursite.com,
etc, which would only require the user to authenticate on www.yoursite.com
so long as it doesn't use "standard" sessions to track the logged in user.
I'd recommend something similar to my sessionless sessions (
http://3ft9.com/sessionless-sessions-2/) and make sure your cookies are set
on .yoursite.com and not x.yoursite.com. Those cookies are then accessible
from any subdomain.

-Stuart

[snip]

You're probably familiar with the Luhn algorithm, used to validate
credit card numbers. It's a relatively simple algorithm that determines
whether a given credit card number is valid. (Not all numbers in the
12-16 digit credit card number space represent valid credit card
numbers.) I have to wonder if there's a way to generate a token which
looks like a hash, but which can be tested for certain characteristics
to determine if it's valid for the purposes of determining if someone's
logged in, without having to go all the way back to the login server's
database. The hash itself might contain a component which limited its
lifetime.

It's just an idea. This is definitely way out of my zone of expertise. I
leave encryption, hashing, etc. to people who know a lot more about it
than I do.

Only problem might be someone replicating a known good token.

Paul