IBM has a pretty good document on setting this up. You will need an IBM user ID to access this document which you can find on the TAM support web site at http://www-306.ibm.com/software/sysmgmt/products/support/IBMTivoliAccessManagerfore-business.html. Just search for "domino integration" to find it. There are two available. For some reason IBM refers to them as adapters, but this is misleading I think, because when they mention adapter I think of ITIM adapters. In this case these two items are just PDFs with instructions on how to put Domino behind WebSEAL doing SSO with LTPA. I'm not sure why they call them adapters. But hey whatever. The documentation is pretty good. If you follow these instructions it will work.
There is one key item the document does not mention:
When you create the junction you need to use pdadmin, but you must be on the WebSEAL server to do this. Yes, you can run pdadmin from the Policy Server or even the authorization server, but if you need to create a junction using LTPA then you must be on the WebSEAL server for it to work. Otherwise, you'll just end up with an error ->
DPWWM1318E Cannot create junction
DPWWA1998W Unable to open the LTPA key file for reading
This stumped me for a handful of hours and even IBM Tech Support never mentioned this little tid bit. My friend Ram from the Tivoli Software group said he usually creates junctions from the WebSEAL server anyhow. I guess maybe I just need to pick the right habits to learn.