The SDKs are setting credentials: 'include' on their CORS requests, and so AM needs to respond with Access-Control-Allow-Credentials: true to permit the request.
While fixing this, we should also review default settings of OAuth2 client's CORs configs.
Ensure they are more pervasive than current (e.g. allow credentials is exposed) in their default state.
Further actions may be of use - for example updating the exposed settings in the Oauth2 client's CORS configurations to allow this setting to be manually editted by an AM admin without recreating the dynamic config in a static form.
The org.forgerock.openam.cors.OAuth2ClientCorsConfig#allowCredentials method returns false and should be changed to true