It seems very close, you use extended notifications with http links to user decisions, those links activate web services which do not require SAP GUI and you can see your e-mails from your mobile devices. So close, but not there.

In more and more organization there is a demand to approve workitems from mobile devices; this usually starts with the CEO and a few other high ranking personal of the company. CFO's want to impress the CEO and they too usually see that this is a very close possibility. However smaller organizations want simple solutions for this.

Well, there are some options:

1. Use a VPN (virtual private network), there are VPNs for mobile devices as well as computers, and since the links are web services they will work. This solution doesn't need development or any other installation except the VPN on the user's devices. There are problems however; the web services are not adapted for mobile phones so the display will be small. And the users will have to give a password two times – once for the VPN and once for the web service. This is a big problem as this is a solution for the higher ranking personal of the company, and they are usually, well, a bit spoiled…
2. Another solution is using a reverse proxy (a server running in front of a Web server),  , it does not even require installation on the user's devices, as described for example in:  Configuring Reverse Proxy Servers - Administration - SAP Library. This has the same problems as the last solution and is more viewed as a security risk by the internet security team I have talked to. Although there are solutions to this to, for example, allowing the proxy to interact only with specific MAC addresses.  However this doesn't require any installation at all except changing the links in the extended notification to point to the reverse proxy server.  
3. A third solution in to use incoming mails to process the users decision, this also requires no installation on the users device, and only a few developments to process the incoming mails. It also requires no logon from the users and enables them to enter comments in their reply which makes this a good option to implement.

The most common way I have seen to bypass part of the SSO problem is using the SAP portal, since it has a SSO with the ECC and with the active directory, which the BSP of the extended notification doesn't.

To be more specific, I think there is a way to enable SSO for SAP web services but in all the organizations I asked for a way to solve this problem the portal solution was selected. If anyone has implemented an SSO for the workflow web services I would love to hear about it.

Another advantage for using SAP portal is that you can add the option to add remarks since you are create a new iview anyway (I haven't found a way to create a link to a specific workitem in the UWL, again if anyone has, do share).  

Whatever solution you think might be good for your organization, all of them should be checked with the organization internet security team, I received very different responses from different security specialists, one of them didn't want to allow any access to the SAP ECC servers and another pushed for the reverse proxy solution with is the least secure to the best of my understanding.

Also, I do think that SAP Fiori and SMP (SAP Mobile Platform) are going the right way (see for example Which #Workflow Inbox When? Pros and cons for SAP Business Workflow and SAP NetWeaver #BPM ) are a great solution to this problem and will be implemented more and more as time goes by. For now installing a SAP NetWeaver gateway server and a SMP server, I my opinion, seem to be a bit too much for smaller organizations if their only demand is workflow approval.