Service providers need a way to determine which identity provider in a circle of trust is used by a principal requesting authentication. Because Circles of Trust
are configured without regard to their location, this function must work across DNS-defined domains. A common domain is configured, and a common domain cookie written, for this purpose.
There might be more information for this subject on one of the following: