Solution: two (same) custom plugins on both sites.
Workflow to be triggered on successful login:
- generate hash and save in DB; expires after 30/60 seconds
- save initial destination
- redirect to the other site with ID; make necessary checks there – hash, IP etc.
- if everything is OK, login the user programmatically
- redirect back to the initial destination
This way all the cross domain issues will be avoided as the user will be literally sent to the other site; + there will be no hacks with iframes.