1. Do you have the same session id when the client is redirected back to your application?

2. Are your client and OAuth2 server on the same host? If not, you should be aware that Cookie shouldn't be set to Strict, because the browser will not send it back to a different domain. It should be set to Lax in this case scenario.