We have a java web application accessed from both browsers and iPhone app using spring security as the underline SSO implementation. Since added sameSiteCookies="strict" in tomcat context.xml, I added a line in backend before sending out SSO request,
response.setHeader("Set-Cookie", "JSESSIONID=" + sessionIdValue + "; SameSite=None" + "; Secure");
All the browsers work, even browsers on iPhone. But iPhone app stopped working due to losing JSESSIONID cookie upon receiving SSO response. I tried both "None" and "Lax" on the backend but neither work for iPhone app. If anybody can spend some time to give me some clue that'll be very appreciated. Thank you all.