My present thinking is this:

When a user completes a successful authentication at an OP a session is created.
There is one session per user_id and client_id combination.

That means that if the user sends an authentication request from another client and SSO is used then a new session is created. The 2 sessions have an authentication event in common.
If SSO was not allowed then the 2 sessions, even if they concerned the same user_id, would not have a common authentication event.

This means that at the top of the session management tree we would have a number of authentication events.

Now within a session grants can be given. These grants can lead to authorization codes, access tokens and/or refresh tokens to be issued.

So we have a hierarchy:

1. Authentication Event
2. Session
3. Grant

This would allow us easy handling of single logout as well as dealing with grant management as described in
Grant Management

There are connections between grants, for instance it's useful to know which refresh token was used to issue which access token.