First it opens a connection to the card reader by calling sectok_friendly_open. The arguments are the name of the reader, a flag that tells the reader not to wait for a card to be inserted, and the address of a word for status return.
Next, it calls sectok_reset to reset the card, and calls a function that returns the application class of the card (the first byte of each APDU).
Finally, it calls sectok_apdu and sends a select APDU to the card to select the applet. The argument to this is an AID, which is a 5 to 32 byte string used to name applets.
When ssh wants to decrypt a challenge, it sends the challenge to the card by sending a DECRYPT APDU.
If you want to know how the key got stored on the card, take a look at ssh-keygen.c and search for "sectok_".