Right, because you're sending the new APM an access token that it doesn't own. It's a little tricky here because you're using DNS to flip between the sites, so regardless of the domain scope the host name would be the same (with different IP) so the client would still send the cookie. The domain scope only exacerbates that problem. The only option I can think of is to maybe perform a check in the HTTP_REQUEST, such that if a client presents a session token that doesn't exists in the local session table, forcefully remove that cookie in a redirect back to the requested URL.