The Worklight 6.1 InfoCenter refers to a cookiePolicy parameter which can be set on an HTTP adapter. It mentions four possible values, but doesn't go into details about what they do. Is it safe to assume they all preserve cookies they are returned from the back-end HTTP service? How does that relate (if at all) to the JSESSIONID cookie that may be shared between the Worklight server and any back-end server? Do all calls from that adapter share the same cookie state, or does it depend on the security realm being used?

The cookiePolicy parameter in a HTTP adapter defines the way the adapter's HTTP client handles the cookies returned by the backend.

These cookies don't affect the JSESSIONID cookie returned by the application server to the client (mobile app).
The policy relates to all the cookies returned by the backend server to Worklight, including JSESSIONID.

To read more about each option, refer to the relevant IETF documentation for the specific standard.

To answer (one of) my own questions, I have confirmed that in Worklight 6.2, each adapter has a separate instance of an HttpClient, and so the cookiePolicy acts only within the scope of one adapter. Different adapters will not share cookies by configuration.