Since you mentioned creating cookies, I assume app A & B both use the same server-side logic (perhaps middlewares since it’s a common practice) to make sure users are authenticated before they can access protected resources of your apps.
When your app uses middleware, there would be a cookie middleware on top of an authentication middleware. The cookie middleware processes the request first. When it sees a valid session cookie issued by your app before, authentication criterion is met, and the authentication middleware will be skipped. The protected resource will be served by your app.
When there is not a valid cooke, perhaps because the user uses app A for the first time, the authentication middleware will step in after the cookie middleware failed to detect a valid cookie. This middleware will generate an authentication request to Okta. At this point, if the user has never authenticated with Okta on this machine before, Okta will challenge the user for credential. After successful Okta authentication, Okta will also issue a cookie, which is tied to the specific domain for your Okta org. In addition to the cookie, which is save to the client’s browser, your application’s authentication middleware also gets the signal that the user is authenticated. At this point, your application issues its session cookie to the browser, and serves the protected resource. Any subsequent request to app A will carry the session cookie, which will let app A’s cookie middleware to green-light the request.
The key point is two cookies are stored by the browser now, one for your app (app A) and one for Okta.
Assume app B is also connected to the same Okta org (meaning same Okta domain), then the prior Okta cookie will apply to app B as well. Now when the user access a protected resource in app B for the first time, app B’s authentication middleware will step in after its cookie middleware failed to detect a valid session cookie for app B. But when the authentication request is sent to Okta, Okta sees a valid cookie of its own and will NOT challenge the user for credential. The authentication middleware silently passed, cookie for app B is then issued, and the protected resource is served.
Hope that helps.