CABI is a different product that uses EEM etc. and would be very different from BSI. So I will only answer for BSI on this thread.
Since NTLM is Windows security, I will assume that you are really asking about an SSO solution in BSI that validates against AD through LDAP,
or in short, an SSO solution using Windows domain logins.
In the future when BSI integrates with EEM, this would be handled through EEM.
However in current BSI releases, it does not integrate with EEM or AD out of the box and so an SSO solution for Windows logins needs to be done the same way it has been done in previous versions of BSI by writing a custom SSO login script that uses BSI's web calls.
An example of this is in appendix A of the admin guide for BSI. The SSO sections of the admin guide and the example integration with AD in appendix A should hopefully provide the information you need.