This is an interesting problem. An SL2 application should not check the OpenID statement, but rather pass it to the server to check it. An SL2 application can test it, but then nonce will be consumed, and the server cannot check it again, but ultimately the server MUST check its security. Therefore, most likely, the login should occur before the appearance of the SL2 application, and then it can appear with the already registered context.
There are probably other ways to do this, but the above server restriction, which is a statement verifier, is clear.