I would double check that the browsers are not set to block 3rd party cookies. Then, make sure the SSL certificate you are using is trusted. E.g. if you are using self-signed cert. you may need to add it into the trusted certificates list. Then, make sure the hash salt string is the same in the admin as well as front end app. And then - any firewalls, URL rewriting rules, proxy servers or Gateways may play some role here as well, in general.