Hi Avi,
I believe you have determined the right solution.
CA SSO handles multi-domain sso by passing the SMSESSION value as a query parameter or as a GUID on redirects from the Cookie Provider so they can be set in the origin Agent's domain. CORS implementations tend to be restrictive about requests and passing cookies across domains without specific settings. CA SSO relies heavily on redirects and cookies so adding CORS to the environments can be challenging.
If you use a header trace and look at the various cookies with CORS enabled, you can see the SameSite value as either Strict, Lax, or blank. This can help with troubleshooting as you can them compare the cookie domain and it's SameSite value against what you have configured to see why some cookies are passed and others are not. Strict being the most restrictive, Lax will allow top level requests, and None leaves the SameSite value blank.
Also note that if you set your MinimumSameSitePolicy to anything other than None, setting individual cookies to None will no longer work as they will be set to whatever Minimum was configured.
Hope this helps!