I would first make sure that WinAD Authentication works in general with Explorer (not SSO).
More info in: Configuring_Active_Directory_Manual_Authentication_and_SSO_for_BI4.pdf
See attachment at the bottom of SAP kbase: 1631734
With regards to the client-side you need to go into IE and Internet Options - Advanced tab and select "Enable Integrated Windows Authentication", also on the security settings for the intranet add the website to your trusted sites.
Don't test SSO on the Tomcat server itself, there is a Tomcat/Kerberos bug which will not allow you to logon.
I hope this helps,