I think part of the problem in achieving single sign on in most schools is the in-flexibility of active directory itself. Now imagine if AD would let you 'validate' users from another source, say shibboleth for example. My old LEA used shibboleth for it's e-mail authentication, so every user in every school within that LEA has a valid account on its shibboleth server. It is also planning to use it for it's LEA wide VLE which is in the works at the moment.
What would have been great is if my local AD server would also talk to the LEAs shibboleth server, and allow me to select accounts that I would like to allow onto my network. I could still assign them group memberships and manage the account locally within my AD environment, but shibboleth can provide the authentication method behind the scenes, which means the same username and password can then be used for everything! If they then moved schools within the LEA, I could de-valicate their account within my AD, and the next school can validate it on theirs. Also pupils that attend more than one school, 6th formers for example, could be validated at both schools.
That way services that tie into AD like moodle and exchange can also use the same username and password. If all these different authentication services could actually talk to each other behind the scenes, then we'd be onto a winner!