If you are using AD you can point to your domain instead of a specific domain controller. This will make it so that your openfire server will use whatever authentication server is available.
It was too early in the morning when I posted my first post. I was thinking LDAP not SSO. I have never tried this with the SSO config. In theory it may work there as well. In windows you can navigate to the \domain.com\netlogon and the users are per domain and authentication is by domain not by server.