The best practice here would be to see how ad networks exchange data for several properties. One commonly used technique is pixel tracking. For example, in your Django application, paste:
<img src="http://myrailsapp/mysession_creator" />
Verify that the rails application is responding to this address with a session. This will set the session cookie in the rails domain.
Now to the level of security, and it depends on what level of security you need. You can pass information, for example:
<img src="http://myrailsapp/mysession_creator?user=myUserName" />
Obviously, this is incredibly safe, but it depends on your application. More secure method:
<img src="http://myrailsapp/mysession_creator?t=<MD5HashTokenHere>" />
Then the Rails application will have a mechanism for checking this token on the server side of the Django application (either through the state of the database or the server call of the application). More work, but safer.
Another method, if your applications share the root domain, you can use a secure cookie in the root domain to transfer information between applications. For example, https://django.myapp.com sets the cookie myapp.com and https://rails.myapp.com knows how to search for the "username" cookie. Requires an SSL certificate of wildcard in the root domain.
Another option is to pass the token or login data with each link to the Rails application and have a before_filter that recognizes the transfer and establishes a session in the same way.