Simon
sorry for a somewhat late reaction, and you will probably have resolved this by now (if so, it would be great if you would elleborate in this thread!)
For one of my clients I create a portal(app) using Mendix, which holds all landing screens and MF for various parts of the app that a user can land on based on Role.
Access to that portal is restricted to the admins, and all of the landing pages are imbedded in our "main" website using Deeplink. Some of those pages do require a user to produce (extra) credentials, but I guess it might also be possible to check session-data on an already established session.
I think he means something different here because he is talking about switching between two different websites where one is Mendix and the other can be anything.
I tried this with cookie settings etc but this was not succesfull. We now do it either with Kerberos if there is an LDAP we can use or otherwise do it through webservices where one time usage tokens are passed which can be used in the Post message (ie build a string with the token that already has been set with use of the secure webservice). You can use deeplink indeed for the return switch from the external website to the Mendix website.
Regards,
Ronald