Do you have the three hosts defined in the cookie's host list? Are they defined as hosts and not domains?
If you have a domain cookie for mycompany.com, there's no way to prevent it from being sent to mysite.mycompany.com. However, you could add an irule to mysite.mycompany.com that detects whether an access session is started or not and ignores the cookie appropriately:
--
when HTTP_REQUEST {
if { [HTTP::cookie exists "MRHSession"] && ([ACCESS::session exists -state_inprogress] || [ACCESS::session data get "session.policy.result"] == "not_started" ) && ! [string equal "[HTTP::uri]" "/my.policy"] } {
log -noname accesscontrol.local1.err "$static::ACCESS_LOG_PREFIX [IP::remote_addr] access [HTTP::uri] with in_progress session, redirecting to logout URI"
HTTP::close
here you can do whatever you want, easiest option is to simply 302 user to logout URI to delete apm cookie and start over
HTTP::respond 302 Location "/my.logout.php3"
}
}