It is dependent on how the WebServer is configured, if it is a single WebServer instances e.g. IIS or single Apache Instance (single httpd.conf) - then you could only have one ACO.
IIS is an exception in that there could be only one ACO, since only one WebAgent could be configured with IIS till date. There is an enhancement request being worked upon to allow using multiple ACOs on IIS.
Apache, we can create multiple instances of Apache using a single install of Apache. Thus there is an httpd.conf per instance of Apache. We could now map a unique WebAgent.conf (with a unique ACO in each) to each httpd.conf. Each httpd.conf could be an independant WebSite (e.g. abc.com or xyz.com).
For SSO you definitely need a Cookie Provider. All WebAgents can act as a CookieProvider. It is only a matter of designating one as the Cookie Provider and then pointing all other WebAgent which need to be in SSO to that CookieProvider.
Using a Cookie Provider for Cross Domain SSO - CA Technologies
http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec456839.aspx
Regards
Hubert