7.4 Trusted Relationships 
The second main use of logon tickets are to authenticate the user against other systems. When accessing another system, the foreign system must also validate the digital signature and if correct, extract the user name from the cookie. For this to work, the two systems must be in a trusted relationship with one another. Effectively, both systems have information about the digital certificates of the other system which allows them to verify signed information from the other system.
For a trusted relationship, all relevant systems must be configured to accept the logon ticket of the other system. For more information, see Maintaining Trust Relationships between SAP Systems.
Note
Note that the SAP user ID must be the same on all systems.
Testing Trusted Relationships in the Browser
Log on to test system A with this URL, for example:
http://pwdf6391.wdf.sap.corp:50021/sap/bc/bsp/sap/it00
Now you have the logon ticket.
Change the URL in the browser, directly at the top in the address field, to be against test system B, for example:
http://us4184.wdf.sap.corp:1080/sap/bc/bsp/sap/it00
If the two systems were in a trusted relationship, this second link onto the second system would have started the application without asking again for authentication.
To confirm this test, use any HTTP tracing tool, for example HttpWatch (see http://www.httpwatch.com) or Fiddler (see http://www.fiddler2.com), and then look at the cookies exchanged:
MYSAPSSO2 Sent AjEx...What this shows is that the browser sends to the second system the logon ticket it has.
This basic test has to work successfully if the systems are in a trusted relationship.