Hmm. I might have found a fix for the issue - though I can’t say I understand why it works.
I had configured the two apps to use different ASP.NET Session cookies, as that seemed the logical thing to do. By changing them so they both use the same Session cookie, the SSO seems to work (though logging out of one app doesn’t log out of both; I recall reading that handling logout is a complex issue and I haven’t explored that in greater detail yet, so that’s fine).
So now I am wondering - is it a requirement of SSO that all apps use the same session cookie? That doesn’t seem right to me, but again I’m probably missing something.