One way that I've played with, but not finalized, is actually doing the call within a background frame/object to do the entire authentication flow.
So rather than seeing a bunch of 'redirects' the user simply sees a "doing SSO" type message while all the action takes place behind the scenes. If successful, sends them on to application. If unsuccessful, fall-through to log in form flow.
Hasn't really been real-world tested but initial checks I don't get the domain pop-up in any browser whether on wrong domain or off the domain.
-------
Now if the domain pop-up isn't a huge concern, can also handle up-front Kerberos 'check' . Only done this with IIS though. So basically the initial auth scheme used by application is a 'false forms' to a degree that points to a folder protected by "Negotiate:Kerberos".
If that fails, a custom error page is invoked which snags the target application and sends them through the log in form flow. If it succeeds, then the 'form' that now loads sends them through the SiteMinder Kerberos flow.
This can generate the pop-up though if user is not on the domain or different domain and has IWA enabled in browser (so off-site employee or something that's not on a VPN). But other than that works for IE, Safari, Chrome, Opera and Firefox.