Best practice for federated authentication and authorisation?

[James Fidell]

I'm currently looking for some sort of definition of best practice for
implementing federated authentication and authorisation systems, but
struggling to find much.

What I'm looking at is an application that uses Gmail/Facebook/Twitter
etc. for authentication via a bespoke intermediate ("cloud-based")
registration service and then does access control by verifying claims
with another bespoke cloud-based system.

Can anyone point me to any documents that discuss best practice for
implementation of such a system?  I'm thinking that handling all
transactions over HTTPS really isn't sufficient for this and that they
should all be at least time-stamped, digitally signed and use both
client and server certificates for HTTPS, but if I'm being overly
paranoid, or not paranoid enough, it would be useful to know :)

Thanks,
James