I’ve been mentioning for a while now the importance of considering how you want your PSC design to look in vSphere 6 to my customers. I’ve also made sure to point out that the path from an internal SSO (common in vsphere 5.x) to an external PSC (what I recommend to almost everyone in vSphere 6) is neither straightforward, nor automated.
See this VMware KB article: List of recommended topologies for VMware vSphere 6.0.x (2108548). Pay particular attention to the deprecated topologies:
It further reinforces my recommendation that unless you have a very, very tiny corner case, your Platform Services Controller (PSC) should be external.