As you didn't mention of which kind your (OAuth2) client is, it's a little bit hard to answer. A good practice is, to follow the IETF best current practices, which are documented als (draft) RFCs:

Browser-Based Applications: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps

Native Apps: https://datatracker.ietf.org/doc/html/rfc8252

Many aspects, like cookie policy etc. are described there in depth. You could also try to look for a OAuth2 library for your software library that helps you with client-side token management. This would be my first approach, to takle the problem.