One solution that might be simpler to achive could be this, it may or may not work in your specific scenario but i'm assuming your client applications have their own set of users they can sign in as.
On the master application, build in a method to generate a random token (e.g sha256 + openssl_random_pseudo_bytes ), and insert that into the clients database along with the user id of the user on the client's site you want to sign in as.
Then open a new tab / window to the clients site and build a method on your client application which takes this token as an input. The client application can then look up this token in it's own database, and fetch the user id you're trying to sign in as.
Adjust your authentication system on your client application to allow you to sign in as any user just by specifying the user_id as an input, when you receive a valid token and have your user id, you can then authenticate to your client site without needing to know the users actual password.
Its really important that when you do this you do not provide any other means of accessing this alternative authentication method outside the scope of the token authentication, introducing the possibility of someone being able to sign in as any user just by modifying the 'standard' user/pass sign in form in their browser and passing a user_id=123 input through on that form.
You may want to do additional checks when performing this task like making sure the token was created within the last 10 seconds or so, and also make sure you destroy the token from the database (as well as any 'expired' tokens that may be lurking) so they can't be used at a later date. Each token you generate must be a one-time-use only thing.
Because only authenticated users on your master application can generate these tokens, you can assume on the client application that if a valid token exists, it must be authorised.
This saves you having to mess around with cookies and sharing sessions between your different applications and may be a simpler solution. If implemented properly you should end up with a button you can click on your master application that will sign you in as any user on any client application securely with one click.
So in short you might do something like this:
Code:
* click 'sign-in as user' button on your master application and go to:
https://master.app.com/generate_auth_token/client_id/client_user_id
* generate your token and insert it into client_id's database along with the client_user_id and redirect to:
https://client123.app.com/token_auth/your_token_goes_here
* lookup the token, check it's valid, destroy it and authenticate as client_user_id if everything checks out
* proceed using your app as you would if the user had signed in with their user/pass
