Hi Stephen,
I've never made this myself, so I can't speak from experience, but hopefully I can point you in some directions to investigate.
Ideally, you would have one separate Mendix application serve as the IdP.
There is the OIDC Provider module which from the looks of it allows one central Mendix application to serve as the IdP for your other Mendix applications. I think that would be the optimal solution, so that users can login using SSO for which one central Mendix application is the IdP.
If the module doesn't work out, you could also build a custom solution which provides a similar functionality, but that would probably require some additional work and would require you to take all security aspects into your own hands.
Hope that helps!