I've never tried it with several forests, only with several domains in the same forests, so it might or might not work. The trick is using a global catalog server as the LDAP server Moodle uses, and query the Global Catalog service instead of the LDAP service. See http://docs.moodle.org/26/en/LDAP_authentication#Using_a_multi-domain_AD_environment
for some details.
I've never used NTLM SSO with a setup like that, so I can't say whether it'll work or not. To start with, NTLM doesn't work if you have users with the same sAMAccountName in different domains, as it's unable to tell them appart (doesn't use the domain part at all). You could overcome this using SSPI/Kerberos instead of NTLM, but the setup is a bit more complicated.
A second option worth exploring is using the SAML authentication plugin against ADFS. I've never used it myself, but several people in the forums have talked about its possibilities.
A third option is keeping the same strategy your client is using right now: have several LDAP auth plugins, each querying a different LDAP server. There's a patch to the standard LDAP auth plugin (maintained by me) to do this. I currently have versions of the patch for Moodle 2.2 onwards. I publish new or updated versions from time to time in a forum discussion here at Moodle.org. If you don't find it or don't find the version you need, feel free to send me a private messege here on Moodle.org.