1. Do authentication on auth.example.com

2. Set a session cookie for auth.example.com

3. Redirect to app.example.com/?token=12345

4. Exchange token for a session cookie on app.example.com

This way each (sub)domain will have it's own unique cookie.

Ah, so the issue is that the cookie was set for the entire domain, not that a cookie was set at all.

My misunderstanding. Yes, what you lay out makes sense.

Reading his other comment, koblas was actually talking about bearer tokens.

Not sure how they are actually better than cookies, though. Certainly can be a lot more complex. With cookies you mostly just have to avoid the *.example.com foot gun.