How can OS X perform "VPN Single Sign On"?

Windows can perform "VPN Single Sign On" whereby a (pre-configured) VPN connection is initiated from the login screen using the provided user credentials and, once established, the user is authenticated against the corporate directory server.

Only after successfully completing such a login can a remote client be used.

How can the same be accomplished with OS X?

You could use tunnelblick, as a front end to OpenVPN. Once installed, it runs automatically when the user logs on. It can also be configured to connect automatically, in the VPN Details dialog:

It appears to work with OpenDirectory also, starting from version 3.1beta16 (I am currently using version 3.4.2). Taken from the release notes (What's New in Tunnelblick 3.1beta16 (Changes from 3.1beta14))

• Fixes issues when using OpenDirectory and the user's home directory is on a non-Mac platform.

So, in short, while it doesn't provide the VPN logon at the login screen as requested, the end result is pretty much the same - you log in and have the VPN connection already running.

Hope this helps.

Little Snitch alone is adequate. Some combination of Little Snitch, or with Apple Server software will accomplish what you seek. Once set, Little Snitch will prohibit/allow outgoing connections based on a saved (password protected) configuration. Only VPN can be configured such that that user will be unable to connect except through enabled connections. The user will have to sign into the VPN server after login manually or via keychain.

Apple Server is also pretty versatile, and Apple Enterprise Server support is quite good, especially since it comes free with the $20 Server software.