1) No, you don't need SAPGUI at all in regard to giving users access to the CRM UI (ICWEB). You just need the secure login client, and all the steps in AD to build the service user (SETSPN), RZ10 params, OS level commands to generate the keytab....maybe apply some notes...
For sure, no SAPGUI is required.
2) YES, you have to buy the license for anything SSO in regard to SNC SSO to SAPGUI, SPNEGO SSO for WEBGUI/NWBC/ICWEB since that is about an ABAP based system.
AS JAVA based SSO via SPNEGO can be accomplished at no cost at all. But a CRM and ECC systems are ABAP so yes, for those you have to pay. So a modern AS JAVA system like portal, etc you don't need to pay anything. You can find the documentation for that, it isn't too hard to do.