Hi @nish_rm,
Welcome to the Auth0 Community!
I am glad that you managed to find a solution for establishing the session between the client app and the embedded widget. As you mentioned, a custom domain was not required to establish SSO between these two components as long as both applications used the same tenant and databases.
Regarding your clickjacking concern, you can read out documentation on enabling the necessary HTTP headers.
Otherwise, invalidating the widget’s session once the user has logged out of Client A can be quite complicated. One possible solution would be to store the widget’s session ID inside app_metadata, retrieve it on user logout, and use the management API to revoke the session.
If you have any other questions, feel free to reach out!
Have a good one,
Vlad