I should clarify my point about blog.example.com and signon.example.net encrypting a shared datum. Rereading my post, I realize it wasn't clear that I meant each should have the other's public key. blog.example.com encrypts the datum with its private key so signon knows the request came from blog, and signon encrypts the response with its private key so blog knows the reply / ack came from signon.
This is obvious, but the way I wrote it might not convey that I know it's obvious :)
Also, depending on my workload this and next week, I may try to whack together a prototype of this mechanism.