Welcome back to the Centrify Express forum. The answers to your questions are someway scattered through the boards, but I'm going to summarize it here:
You don't need to use Centrify-enhanced OpenSSH. You can continue to use stock SSH and since most modern SSH Servers support Kerberos and GSSAPI, you are fine.
There are specific reasons to use Centrify-enhanced OpenSSH like SmartCard, advanced authorization, complex AD forests, etc; but none of those apply to Express users. Also keep in mind that once you "Centrify" a box human users authenticate either via Kerberos or using their AD credentials, therefore SSH keys are used for other purposes like apps or system-to-system authentication (that can be done with Kerberos too). The idea here is that you may discontinue the use of SSH Keys or reduce it to a fraction.
Quick answers
1. I noticed that if I install the CentrifyDC-openssh package, new ssh keys are created in /etc/centrifydc/ssh. Does that mean existing stock ssh keys in /etc/ssh are not used by CentrifyDC-openssh? I'm trying to avoid annoying users with the "man in the middle attack" message if they have already accepted stock ssh keys.
No. They would have to be re-created. Hence the suggestion to continue to using Stock SSH.
2. Does CentrifyDC-openssh have support for tcp_wrappers-enabled xinetd?
Although I'm not familiar with or have tried it, I don't see why not. Our enhancements are related to Identity, Kerberos or AD complexity.
3. If I decide to use the stock sshd package in CentOS 6.8, is there a way to enable SSO?
Absolutely!!! Check out KB-2841: https://centrify.force.com/support/Centrify_KB_ArtDetail?Id=kA080000000GqngCAC
4. If I decide to use the stock sshd package in CentOS 6.8, is AllowGroups and/or AllowUsers the best way to restrict access to ssh logins?
The best way to restrict access, provide privilege elevation, RBAC, MFA, time-fencing, attestation and reporting is to use Centrify Standard Edition (DirectAuthorize) and not only you can control SSH access, but any PAM-enabled app.
However, if you are strictly using Express, that's a good option. Remember to have good physical security because all your AD users will still be able to log in through the console.
R.P