Design for APM SSO for external web sites without SAML

Cross domain SSO in F5 APM terminology is being able to sign into multiple URLs using a single authentication to the APM.

Well, technically that wouldn't necessarily be "cross-domain". There's a "multi-domain" mode within APM that allows you to authentication once and access multiple access policy VIPs, which is a client function. Then there's SSO, which allows APM to use whatever credentials a user has provided to authentication to different back end systems. That could indeed be Kerberos across multiple trusted domains, but that's only one of many possibilities. In your case though, you have remote services that most certainly aren't accepting Kerberos tickets, so your SSO is most likely going to be posting HTTP-based credentials to their logon page (user/pass form, Basic, NTLM).

Pretty sure its as form. Not sure exactly how it works but i'll do some further digging. Can the APM do the following ?

This config dances dangerously close to a reverse proxy, which depending on your criteria and how many external sites the user must access through this VIP, can have some complexity. Is it a handful of sites? Does it need to be in a full forward (web) proxy configuration?

The order here is important as the SSO only needs to happens after the customer ID is successfully entered.

Actually it shouldn't technically matter. The Forms SSO config is going to be on the lookout for the data that you've defined to identify the logon page. Whenever the SSO sees that, it'll post the credentials as required. It shouldn't matter when that happens. Now, if you're implying that it MUST only happen in a specific order, then you'd have to take additional measures to enable/disable SSO based on that criteria.