For logging users out, you should disable log out from ATG Self Service by hiding the link.
Otherwise, you need to make sure that the logout action from ATG Self Service logs out the user from your single sign-on scheme.
To do this, you need to subclass atg.userprofiling.ProfileFormHandler, and in that class, override ProfileFormHandler.postLogoutUser(DynamoHttpServletRequest,DynamoHttpServletResponse), making sure to call super.postLogoutUser(request, response) in the last line of that function.
Then override the Nucleus configuration for ProfileFormHandler to point at your subclass by creating a file in <ATG2007.3dir>/localconfig/atg/userprofiling/ProfileFormHandler.properties that contains one line:
$class=com.acme.MyProfileFormHandler
where com.acme.MyProfileFormHandler is the name of your subclass of ProfileFormHandler.
The postLogoutUser method will be called after the logout button is clicked in ATG Self Service. Therefore, whichever code logs a user out of your single sign-on scheme should be invoked by that method.
