The office 16 preview gives us a glimpse of how the openid connect middleware in AAD has bveen grafted onto the webticket infrastructure (of old).
The basic discovery of endpoints, given a tenant-bound user name.
next, we see a block of protocol requests designed to get access to a secondary discovery service:
note the openid-connect AAD-based authorization header, alongside the webticket header.
mex of an STS, armed with oauth-related policy for the issue (token) action
mex of a cert provisioning STS (GetAndPublish verb, vs Issue/Refresh etc)