What you’re describing here is a hybrid scenario that works perfectly with the Windows Azure Access Control Service. And it doesn’t matter if your application is on-premise or in the cloud. Basically your applications will simply need to use ACS as identity provider (right click on your projects, add STS reference). Once you’ve done that, the following will be possible:

1. User browses to application1.com
2. Authentication is required. application1.com redirects to the ACS ‘login page’ (where you can choose an identity provider) or lists all available identity providers.
3. User chooses to use Windows Live
4. User is redirected to login.live.com where he can enter his email address + password. He chooses to save the password and stay connected.
5. User is redirected to ACS with some claims. ACS redirects again with some claims to application1.com
6. User is authenticated in application1.com and his claims are available in the application.
7. User connects to application2.com
8. Authentication is required. application2.com redirects to the ACS ‘login page’ (where you can choose an identity provider) or lists all available identity providers.
9. User chooses to use Windows Live
10. User was already authenticated in Windows Live before! And login.live.com redirects him immediately to ACS with some claims
11. ACS redirects again with some claims to application2.com
12. User is authenticated in application2.com and his claims are available in the application.

Hope this helps.

Sandrino