I am facing the same issue. On my old dating site 2meet4free, which is almost 20 years old. There is a webcam chatroom. I always offered code to embed this chatroom in your site, which uses an iframe. Nowadays I am revamping this website and attack the "embed webcam chatroom" part of the site and finding that right now on actual mobile devices (iPhone, Samsung) in any browser my iframe cant maintain any cookies at all. Even if I have setting sameSite to None on all these cookies, everything is https only, secure, has proper LetsEncrypt certificate. Yet my iframe on real mobile devices cant seem to hold to a single cookie at all!!!
So I sat down and solved this thinking on my chair :P Now I am 90% in that implementation and its actually working great.
Part 1: my app (the embed webcam chatroom) now passes the PHP session ID in the URL of all its internal links (I have a few links inside the iframe that actually change the iframe source, but mostly a lot of ajax calls. Every url needs to have this) Of course I am not exposing the session ID in urls which are not embed, and made the session of embed ppl expire server side at after 5 minutes of inactivity. This now makes the app "work" on its own without needed cookies at all!
Part 2: I already had an "external script" that was embeded along with the iframe (mostly to pop divs on the parent page, like webcam views and message windows). Now I also use this external script to pass my session ID to the parent page with postMessage and make the parent page save that in a cookie for me (so thats a 1st party cookie now!). Also my iframe source is now beeing set by that same script, after checking that cookie, so it can put that same session id in the initial iframe URL as well. Now you can even "change pages" or reload the page and my chatroom holds its session that way.
Part 3: this is for the longterm "re-log". Its a chatroom, I want minimal security, and keep you logged in for as long as possible! I set a long term "1-time" relog cookie in the parent window as well. This cookie is a 1-time token that allows to relog. For security, everytime this cookie is exposed in a url (normally will only be in the initial iframe url), it is then changed (the token is changed in the database) and sent to the parent window again. So every time this long term relog cookie is exposed in a url it is immediately replaced by a new 1 (which means someone having a hold of that url wouldnt be able to relog because it was used once already because it was in the url)
Well that's it. Hope that might help someone!