The current implementation of SSO uses a very weak encryption algorithm ("aes-128-ecb"), which has been demonstrated to leak information if the encrypted data is any larger than 16 bytes (which almost any JSON-encoded string will be). On top of that, you're using the default Node.js key generation algorithm ("EVP_BytesToKey" with 1 pass and no salt), which essentially just md5's a value and cuts it in half.

In the end, we're only sending a small bit of data over, and it's via SSL, so the security risk is low. But better security practices are always good.

JSON Web Tokens already achieve what you're trying to create from scratch, and support a number of encryption methods depending on the system. JWT isn't without security risks, but most modern libraries default to best practices. On top of that, JWT is a recognized standard, meaning that SSO could be implemented in just about any language.