Allen,
We have performed work in integrating CA PPM and PF for a client and the answer to your problem depends on how you actually do it and the nature of the issue. You can look at Integrating CA PPM with Ping Federate for Single Sign-On - Pemari for info on how we did it.
But for OWB, the MSP Connector and XOG the only endpoints we protected were /niku/app, /niku/nu and /ppm/rest/*. it is then possible to launch OWB/MSP via the browser links in CA PPM and for them to use the browser session, use XOG since xog uses /niku/xog and this in not protected. As Jeanne stated above, OWB, XOG and the MSP connector are desktop clients and not SSO aware so for xog you'll always need to logon, for the OWB and MSP Connectors, launching via browser will be fine but you'll be presented with a logon on session timeout or if launching them directly on the client PC.
Andy