SSO fools a lot of people because it actually isn't used for front end authentication it's used for back end impersonation.
So, if their domain trusts yours when a member of your domain accesses their website they are 'Trusted' so they can access the vendors site which you understand and agree with. However, in this case the 'People Picker' is a backend process that needs to access your domain to get a list of people.
Because your domain doesn't trust theirs they need a AD account to access your farm. NTLM credentials can't be relayed (unless you used Kerberos which likely won't work here) so the 'People Picker' on their farm has no access to yours.
So, yes in order to let SSO work properly on their domain to use the 'People Picker' for your domain they need an account in your domain. You can make sure that the account you give them has minimum privileges .