The question is bit unclear to me. Is it that you don't want SSO between webapps, but only between webapp and IDP? Then it seems, it's not complete SAML SSO scenario.
Still for the filtering, you may be able to write a 'custom authenticator', implementing the interface 'org.wso2.carbon.core.services.authentication.CarbonServerAuthenticator' and engage it in the flow.