I think you are getting a little confused there. It's been a while since you've asked the question, I'll answer anyway.
SSO comes into question when there are two or more apps involved(ex: gmail, google drive and google plus are three different apps that have SSO, you sign in into one of them, the others will have signed in automatically). Are there two applications in this question?
You don't share the oAuth access token with the client. By client, I believe you mean the browser anyway. You keep the oAuth access token in the server tied to the user session or persist in the database. The oAuth access token will expire after some time(exact time is specified in the response). When the access token expires, you get a new access token with the refresh token that you saved when the user first authorized your application at the provider. You have to keep the refresh token forever by persisting in the database. By any means, if you lose the refresh token, you should have the user sign-in into the oAuth provider site and get the authorization done again so you'll get the refresh token.
