Christie
Here are my thoughts.
I often see that the concept of Federation is misconstrued and misused. Ideally we federate across partners, organizations and thus identities are stored in dissimilar stores.
Based off the above premise, my effort would always be to see if this is within the same organization then to avoid federation.
Am not much worried about cookie domains within an Organization as we could always mitigate that with a Cookie Provider.
In terms of User Directory when SiteMinder does SSO, it does verify the Authenticated User Directory matches. Hence if we authenticated against UD1 in Infrastructure-1, when we SSO to infrastructure-2 then the validation realm on infrastructure-2 has to be associated with the same User Directory Object (UD name should match). You did mention that in Infrastructure-2 there'd be additional User Directory Object - in that case unless we have a Directory Mapping OR Identity Mapping configured SSO won't work. Hence for additional User Directories in Infrastructure-2 we'd need to consider Directory Mapping OR Identity Mapping solution.
In terms of Keystore. If both infrastructure uses Dynamic Keys; the best one would be to point Infrastructure-2 Policy Server's to KeyStore of Infrastructure-1 on a Weekend. The WebAgents would pick up the new keys during the PSPollInterval. At worse we may need to additionally recycle the WebAgents on Infrastructure-2. (OR Vice Versa i.e. Point Infrastructure-1 to Infrastructure-2 KeyStore).
The other Alternative is for KeyStore is, let both infrastructures point to its own keystore. We set static keys on both infrastructure. Already logged in Users may be thrown out because once we set static keys, all key set in keystore is overwritten by static value (i.e. Previous Key, Current Key etc). WebAgent should pickup the updated keys in PSPollInterval. At worse we may need to additionally recycle the WebAgents.
Most Important, do this in a preprodn env. Test out the change steps. Test the Applications. Then Production.
Bottomline, though Federation looks like a favorable option. I'd also look at moving the solution into a Standard SSO space, as within an Organization we should look at Consolidating Identities under a single roof as far as possible (Federation on the other hand is for disjoint identity / organization structures).
Regards
Hubert