Hello,
VMware SSO has a lot of concerns at the moment and I do not kow anyone that has written anything for it. It is a new authentication model and as such those who control authentication should be in charge of configuring the service. That would NOT normally be the Virtualization folks, In sites where SSO is required, the appropriate team should manage this new feature for better separation of duties. Note this is not authorization but authentication control.
So in answer to your question, yes if you use it, it is NOT the VMware Administrators who should control their own authentication and it may not be the Domain Admins, usually it is the security team.
That said, how much of SSO you use is still up to you. You can leave it unconfigured which allows all through SSO but implies your normal AD rules suffice or you can add in your own control. I am hoping that the next VMware Hardening Guide contains SSO best practices for various types of organizations.
Best regards,
Edward Haletky