If it's in your domain and participating in SSO, wouldn't it already have the session ID (and encrypted cookie value)? It's also one of the default headers available to Web Agents (if not disabled in the ACO):
HTTP_SM_SERVERSESSIONID
Indicates a unique string that identifies a user session.
Sessions are important to protect, but so long as its sent securely in a header and the application handles it all safely not sure why it'd be a problem.