AT:

• the optimize auth session cookie has the same site flag set to strict
• this is also the case for SSO
• in the documentation in the supported environments sections it is mentioned that only specific IE11 browser versions are supported
• the same site cookie flag can be disabled via configuration

Note:
Setting the sameSite=strict might be a low-hanging fruit for CSRF protection on browsers that support it https://caniuse.com/#feat=same-site-cookie-attribute (yes even IE11).