Why is LTPA Cookie missing in my WAS Liberty environment?

Question

I have configured OIDC authentication (external OP) with WAS Liberty Profile version WebSphere Application Server 21.0.0.7/wlp-1.0.54.cl210720210629-1900.

While testing, the OIDC authentication is successful and I see the following cookies set by WAS on my browser:

• JSESSIONID
• WASReqURLOidcp1059877004
• WASReqURLOidcp825245628
• WAS_n1263819336
• WAS_n1832376351
• WAS_p2129763847
• WASOidcStaten765589445
• WASOidcCode

I do see these messages in my messages.log during server startup:

0000003b com.ibm.ws.security.token.ltpa.LTPAKeyInfoManager I CWWKS4103I: Creating the LTPA keys. This may take a few seconds. 0000003b com.ibm.ws.security.token.ltpa.LTPAKeyInfoManager A CWWKS4104A: LTPA keys created in 0.337 seconds. LTPA key file: jv-ltpa.keys 0000003b com.ibm.ws.security.token.ltpa.internal.LTPAKeyCreateTask I CWWKS4105I: LTPA configuration is ready after 0.341 seconds.

Also, in my server.xml I have NOT explicitly disabled LTPA token or cookie generation.

disableLtpaCookie="false"

Why isn't there an LTPA cookie being set in my browser?

---

Here is my server.xml

<?xml version="1.0" encoding="UTF-8"?>
<server description="Default Server">

    <!-- Enable features -->
    <featureManager>
        <feature>javaee-8.0</feature>
        <feature>microProfile-3.0</feature>
        <feature>adminCenter-1.0</feature>
        <feature>appSecurity-2.0</feature>
        <feature>openidConnectClient-1.0</feature>
        <feature>transportSecurity-1.0</feature>
    </featureManager>

    <openidConnectClient id="oidcBridge" clientId="removed"
        clientSecret="removed"
        discoveryEndpointUrl="https://my-op.com/.well-known/openid-configuration" signatureAlgorithm="RS256"
        jwkEndpointUrl="https://my-op.com/.well-known/jwks.json" disableLtpaCookie="false"
        allowDefaultSsoCookieName="true">
    </openidConnectClient>

    <basicRegistry id="basic">
        <user name="admin" password="admin" />
        <user name="user1" password="user1" />
        <user name="user2" password="user2" />
        <group name="users">
            <member name="user1" />
            <member name="user2" />
        </group>
    </basicRegistry>

    <administrator-role>
        <user>admin</user>
    </administrator-role>

    <!-- To allow access to this server from a remote client host="*" has been added to the following element -->
    <httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080" httpsPort="9443" />

    <!-- Automatically expand WAR files and EAR files -->
    <applicationManager autoExpand="true" />
    <keyStore id="defaultKeyStore" password="removed" location="${server.config.dir}/jv-trust.p12" type="PKCS12" />
    <ltpa keysFileName="jv-ltpa.keys" keysPassword="removed" expiration="1200" />

    <webAppSecurity singleSignonEnabled="true" ssoDomainNames="app1.com" allowFailOverToBasicAuth="true"
        ssoRequiresSSL="false" />

    <application context-root="snoop" id="DefaultApplication"
        location="${server.config.dir}/apps/DefaultApplication.ear" name="DefaultApplication" type="ear">
        <application-bnd>
            <security-role name="All Role">
                <special-subject type="ALL_AUTHENTICATED_USERS" />
            </security-role>
        </application-bnd>
    </application>

</server>