I noticed that PicketLink-STS is included as part of the enterprise portal platform download, so have asked Red Hat support to see if this is possible (assuming that PicketLink-STS was a supported product since it's part of the download). They said that they have researched this issue and "does not look like it is possible with EPP 5.x".
They also said that "it has been confirmed that SAML based SSO has not been certified with JBoss Portal" and that PicketLink-STS is still a technology preview and is only shipped as an artifact of the JBoss Portal distribution. Which is confirmed with the following link to the documenation:
So, appears that are options are (taking in time constraints for the project):
1) Abandon the gateIn portal in place of some static web pages (as we already have our ejb services using PicketLink-STS)
2) Abandon PicketLink-STS, and use an SSO that is supported by GateIn (cons: big change for all our services, and wouldn't be SAML based)
Hopefully this post is useful if another person is struggling and trying to go down this road.