thanks for your reply.
> The CookieDomain of the Auth cookie needs to be ".mydomain.com" not just "mydomain.com"
In RFC 2109, a domain without a leading dot meant that it could not be used on subdomains, and only a leading dot (.mydomain.com) would allow it to be used across subdomains.
However, modern browsers respect the newer specification RFC 6265, and will ignore any leading dot, meaning you can use the cookie on subdomains as well as the top-level domain.
> The machine key and decruption key of all servers need to be identifical
Ok. I have only a single server and a single application, so this is not necessary.
> But I think your scenario is possibly relating to the domains the sites config; do all three subdomains use the same domain e.g. extranet?
Yes, all three domains use the same domain. So this is no problem.
Meanwhile I got the solution:
Sitecore uses forms authentication, so the relevant cookies where domain has to be set are ".ASPXAUTH" and "sitecore_userticket".
".ASPXAUTH" cookie domain can be set in web.config:
<forms name=".ASPXAUTH" cookieless="UseCookies" domain="mydomain.com" timeout="30"/>
"sitecore_userticket" can be set when overriding Sitecore.Security.Authentication.FormsAuthenticationProvider, but I found it easier to create an EndRequest handler:
protected void Application_EndRequest(object sender, EventArgs e)
// set cookie domain for authentication ticket
var authCookie = HttpContext.Current.Response.Cookies["sitecore_userticket"];
if (authCookie == null || string.IsNullOrEmpty(authCookie.Value))
// when checking response cookies, cookie is created if not exists, so delete now
// read domain from .ASPXAUTH cookie setting in system.web/authentication/forms
var authSection = ConfigurationManager.GetSection("system.web/authentication") as AuthenticationSection;
authCookie.Domain = authSection != null && authSection.Forms != null ? authSection.Forms.Domain : "";
Now everything is working fine. Thanks for your help!