To my knowledge the SDK will set a cookie specific to the full domain where the SDK is being used, however, you’re using one domain to start the login and a different one to process the callback so it’s likely that the cookie is being set, but on app.local.io and as such unavailable once the response is returned to auth.local.io.
Can you expand on the use case for starting the login in one domain, but handling it in another one? Given they share a parent domain you can likely workaround this with custom logic, but that would seem unnecessary overhead.