So we haven't gone into testing on this as of yet but has anyone tried out the new "Trusted Servers" feature in AGOL for use with web-tier authentication (URL and copied details below) as this would seem to solve the problems as long as you are working with a single AD forest?
I know we were interested to hear that we would at least be able to switch over to web-tier for our Collector projects but not sure that this will resolve the dual authentication prompts from iPads. I've already had to explain to our users that from desktops we can't pull in their windows credentials to pass through because we run 2 AD forests (internal and external) with a 1 way trust where external trusts internal but internal doesn't trust external. We've had to build out our solution using the external to facilitate usage by contractors along with internal users but it has created some frustrations for internal users having to create/use secondary AD account/password combos along with having to enter the external creds from desktops since their internals can't be authenticated form local system login. Unfortunately, after over a month working with various levels of the ESRI support staff we have learned that there is zero planned intention for ESRI to modify ArcServer to be able to support multiple forests so our last hope is we've found a workaround in ADFS that's allowed us to auth both internal and external into AGOL from the single external ADFS instance and we are hoping to create something that allows us to trick ArcServer and make this work as well, possibly using an LDAP config over Windows Domain config.
Configure security settings—ArcGIS Online Help | ArcGIS
For Trusted Servers, configure the list of trusted servers you wish your clients to send credentials to when making Cross-Origin Resource Sharing (CORS) requests to access services secured with web-tier authentication. This applies primarily to editing secure feature services from a stand-alone (unfederated) ArcGIS Server or viewing secure OGC services. ArcGIS Servers hosting services secured with token-based security do not need to be added to this list. Servers added to the trusted servers list must support CORS. Layers hosted on servers without CORS support may not function as expected. ArcGIS Server supports CORS by default at versions 10.1 and later. To configure CORS on non-ArcGIS servers, please refer to the vendor documentation for the web server.
The host names need to be entered individually. Wildcards cannot be used and are not accepted. The host name can be entered with or without the protocol in front of it. For example, the host name secure.esri.com can be entered as secure.esri.com or https://secure.esri.com.
Note:
Editing feature services secured with web-tier authentication requires a web browser enabled with Cross-Origin Resource Sharing (CORS). The latest versions of Firefox, Chrome, Safari, and Internet Explorer 10 and later are CORS enabled. CORS is not supported in IE earlier than version 10. To test if your browser has CORS enabled, open http://caniuse.com/cors.