How to debug Cross-Origin Auth issues

We have 2 Applications (App1 and App2 for simplicity) records setup in our QA and PROD Auth0 tenancies. Users always get to App2 from a link within App1. Once they’re authenticated into App1, they are presented with a link to get to App2.
In QA it “just works”, user logs into App1, clicks the link to App2 and they go through to App2. In PROD we “think” we’ve done the same process, toggled the “Allow Cross-Origin Authentication” on, added the App2 application URLs in the “Allowed Web Origins” and “Allowed Origins (CORS)” boxes.

However, in Prod each time a user logs in to App1 and tries to access App2, they are presented with the universal login screen a second time to access App2.

How do I debug this to figure out where the error might be?