I'm creating three websites which, in theory, users should have the same account for each one. Although with different attributes, the user email, login name, password, etc, is stored and handled by a single website (like user.mysso.com).
Should I do that using a RESTful webservice on user.mysso.com that provides an interface for querying/authenticating users? Or is this insecure?
No. Use the correct tool for the task which is a Directory Service in this case.
In your shoes I probably use OpenLDAP and Authenticating user using LDAP from PHP