Issue Summary

When Cloud Foundry UAA identityZone is configured with an external Identity Provider (Okta, Entra, etc), users encounter an “Invalid state parameter” error if they initiate the login flow in two different browser tabs using the same browser.
The second login attempt overwrites the state stored in UAA’s session, causing the first login callback to fail.

Steps to Reproduce

1. Configure CF UAA identity zone with an external OIDC provider (Okta).
2. From the same browser session, open two tabs:
3. Tab 1 → navigate to /oauth/authorize endpoint
4. Tab 2 → navigate to /oauth/authorize endpoint
5. UAA generates a state value and stores it in the session for Tab 1 (S1).
6. User triggers login from Tab 2 → UAA overwrites the session state with S2.
7. Complete the login in Tab 1 by entering Okta credentials.
8. Okta redirects back to UAA with state=S1.
9. UAA rejects the request with “Invalid state parameter” because the session now contains state=S2.

Expected Behavior

Ideally, UAA should either:

1. Support multiple concurrent login transactions per session,

or

2. Reject one of the login attempts early with a clear warning,

or

3. Provide configuration options to manage state per request or store state per tab.

(Currently UAA supports only one login transaction per session.)