1.) Pass a new querystring variable we'll call "values" from one system to the other.
2.) This "Values" parameter will be symmetrically encrypted from one system and decrypted on the receiving system using 3DES with a common secret key. See my article on how I'm already doing this: http://www.figers.com/Blog/2014/02/28/symetrical-3des-encryption-in-java-and-decryption-in-vb-net/
3.) "values" will contain the UserID, other values you need and a randomly generated number in the form of today's date attached to 10 digit randomly generated number, it would look like 040320141234567890.
4.) When the system receiving the request decrypts "values" it checks the randomly generated number to see if it's been used before, if it has, it rejects the entire request. If it hasn't been used before it processes the sign-on request and adding the random number to the table for later verification.
5.) Since the URL can never be re-used we aren't concerned with browser history or sniffing over the wire at say a coffee shop.
5.) Each time the first system displays the link to jump to the second system or the link is clicked it generates a new random number in the link.
6.) Because the number is encrypted an attacker would need to know the secret key to even be able to guess a number to try (i.e. unless 3DES is cracked this is not possible).
Now we have secure Single Sign-On from one system to another.