I realise this thread has been dormant a while, but I came across it whilst searching for something and since others may also find it similarly, I wanted to clarify something.
SSO in OnDemand environments (whether they are portal SSO or federated) do not require vpn access for XOG and web service calls. If there are problems, they may well need to be involved for understanding or resolving what those problems are, but generally speaking the SSO doesn't block access to logging in otherwise other non-SSO apps (OWB, MSP, MTM) also would not work without VPN, and that isn't the case.
One of the main issues that typically occurs is that SSO users are oblivious to the need to maintain passwords on the Clarity / OnDemand side of things.
Whether the password is being authenticated in Clarity for the XOG user, or authenticated by the same LDAP password that the OnDemand portal is using, the password needs to fulfil the criteria of any password requirements (minimum lengths, etc.) and must not have expired. You also need to know what that password is set to, obviously, since the Clarity password (when not using External Authentication) won't be synched with the LDAP/SSO one.
You also cannot un-expire (by changing) a password through XOG and so it just appears to fail to login when this happens, sometimes with no apparent way to reset the expired flag. To remove the expired flag for a user that doesn't have External Authentication enabled requires logging into Clarity's web UI as that user and being challenged with the Old Password / New Password / Confirm New Password change prompt - which for an SSO enabled environment, you probably don't have access to do unless you also have a non-SSO enabled app server you can reach.
If you are not using Federated SSO but do use the OnDemand portal, your best option (probably) is to have your XOG users in Clarity be setup to use External Authentication and just make sure you are aware of any password changes made for these users on the portal.
As a topic, it does provide some challenges (and not every environment is the same so the answer can vary), however it's not a problem that VPN access typically assists in resolving or negates; so you should only get VPN for some other reason that definitely needs it.