fix: use auto cookie_secure to fix SSO invalid state parameter

The session cookie was not sent back on HTTP requests because
cookie_secure was hardcoded to true, causing OAuth2 state mismatch.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

config/packages/framework.yaml

@@ -10,7 +10,7 @@ framework:
     session:
         name: crm_session
         cookie_lifetime: 3600
-        cookie_secure: true
+        cookie_secure: auto
 
     #esi: true
     #fragments: true