I don't have a wealth of experience in this area but there is an old (from v5 days) document about authentication that you may find useful. 

https://pdn.pega.com/documents/authentication-pegarules-process-commander-v53

Chapter 8 describes how to update PRExternal (Deprecated in v5.3) activities to PRExternal. So some things to look out for:

• PRCustom activities will have a step that sets the pyOperPage parameter to the Operator ID page that the activity has built (like the screen shot on page 125 of the above)
• PRExternal activities will / may have a call to the Code-Security.InitialProfileSetup activity to initialize the requestor instance (not required in PRCustom)

Please refer the doc in the below url for your query.

http://pegasystems2.http.internapcdn.net/pegasystems2/lrd_and_reference_docs/SSA_716_StudentGuide_20150211.pdf

@othos, I could only find half answer from the document you provided. For the benefit of others, I'm posting it here.

The PRCustom authentication scheme allows token-based authentication, and so it supports both LDAP authentication and Single-SignOn (SSO) approaches. The PRCustom authentication starts when a user requests a special URL. The URL is mapped via a servlet mapping to a servlet defined in the application’s web.xml. Here the authentication type parameter is set to PRCustom telling PRPC that users coming to this URL will use the PRCustom authentication scheme.