Receiving OAuth access_token from Google Apps, now what?

[eluser]xref[/eluser]
I've been using Phil's OAuth 2.0 spark to attempt adding single sign on for an internal webapp we have, so employees can login with their Google Apps email. I'm receiving back an access_token from Google and can request user data from Google, but I'm not exactly sure what to do next.

1) Do I store the access_token in the session and check for it in controller constructors to keep the user logged in?
2) Do I keep calling Google's Validate Token API function when the user moves between pages? (https://developers.google.com/accounts/d...atingtoken)
3) Do I store the access_token in a database along with the employee's email and name?
3a) If the user comes back from a different browser, or the CI session cookie expires, how do I know which token belongs to the user?
4) How do I set it up so the user doesn't have to continually go through the OAuth grant access process whenever they return to the webapp?

I've been doing a ton of research but I'm kind of hung-up now, any help understanding this part of the process would be excellent!

[eluser]xref[/eluser]
No tips on this one? Am I on the right path or do I need to be using something completely different? https://developers.google.com/google-app...ementation