Some functionality in the network, for instance load balancing, may depend on how the connections are established to a CA PAM instance from the client workstation. For instance it may be interesting to know whether on initial login through the CA PAM client or the browser and the CA PAM instance a single or more than one connection is established, and also how the different session cookies are set. This may help correctly understand the initial flow and take the correct decisions as far as designing an efficient network layout 

PAM uses cookies during login time for user authentication and authorization purposes. Depending on the authentication type, it may generate more than one cookie.

When connecting to PAM for the first time, the first cookie is generated. After that, once the user selects the authentication type and authenticates with the username/password and performs additional steps, a second cookie may be created. The reason for doing this is to keep the session alive after the user interacts with the PAM server.

When the old session gets invalidated due to time out or internal clean up process, PAM will take care of cleaning all the old sessions in a temporary storage area to help reclaim the disk space so that it does not cross a certain limit. When PAM reaps the session prematurely, it destroys the old session file.

During this process, the PAM server generates new sessions so that a race condition can be avoided. For specific authentication that involves RADIUS challenges, PAM does not generate the session ID as it causes issues with the PAM client when opening a page that requires a new tab such as Password Management (this will end the session).
 
Please note that the cookies are only used in a single connection and a new connection is not spawned at any point of time.

Cookies generated with different PHPSESSID are not independent as they are related in serial order.