The following is an extract from OpenAM mailing list which I think is very useful in understanding the structure of OpenAM Session Cookie.
> The session cookie is made up from two parts: > > Session ID > Server Identifier > > The Session ID > > The session ID is a SHA1-PRNG generated secure hash. This > hash references the session on the authoritative server. > In order to forge the cookie they would need to guess a > PRNG that matched exactly to a valid session with the same > hash on a server. This would be next to impossible, it > would be easier to try and steal the cookie value rather > than try and generate a valid one from scratch. > > The Server Identifier varies depending on if the server > is in a site and if the site is running session failover. > The whole server identifier is base64 encoded. It is made > up like this > > S101|SI10|SK34329478 > > S1 is server instance, the server where the session resides > SI is the Site Identifier, the site where the server resides > SK is the storage key, used during session failover.