My colleague and I spent some more time troubleshooting this together, and we found that in order for my application (app.mydomain.com) to access the auth0 cookies (login.mydomain.com), the cookie sent from the login domain has to be set with the “domain” flag set to either my login subdomain or my root domain name.
see: http - Share cookies between subdomain and domain - Stack Overflow
Can anyone confirm whether that’s true and whether Auth0 provides controls to induce that behavior?