is it possible to apply SSO when login page and app run on different device?

APM sessions contain all of the data gathered during session setup inside the BIG-IP's sessiondb. So in your scenario you have one BIG-IP that has both authorized and authenticated the user that's connecting. The other BIG-IP has not authorized or authenticated this user, so how do we make the second BIG-IP trust the first one's decisions about the user? There are a lot of potential ways, 

• The first BIG-IP sends a JWT to the second one in the manner of an OpenID Connect Client talking to an OpenID Resource Server.
• The first BIG-IP is set up as a SAML IdP, and the second BIG-IP is set up as a SAML Resource Server.
• The first BIG-IP is set up to send not-federated SSO credentials to the second one 

In both of those cases, APM is required on the second BIG-IP.

Some other ways that might work,

• The first BIG-IP has some unique L2 network path to the second one so only traffic can occur between the two via IP, Ethernet addressing, or VLANs
• Set up an IPsec tunnel between the two BIG-IPs and use irules to route APM user traffic to the remote box
• Set up iSession tunnels between the two BIG-IPs

Of course, if the second BIG-IP is just acting as a router or doesn't need to create its own SSO and you can rely on the first BIG-IP's SSO, then this is a non-issue. The first BIG-IP is capable to perform this SSO, and the second one will silently pass it through in the same way that a router would.