Suppose all of these are key/value stores. For each:
Session cookie stores a value for who the user is for the current session (phew user is authenticated, let’s store that info)
Persistent cookie is how we recognize the user at a later time (phew the user is authenticated, thankfully we stored that info)
Cookie for a password protected session says that we found who a user is for authentication and we told them to provide a password for future reference. (phew the user is authenticated, thankfully we stored that info)
Security cookie I presume says we’ve added more cryptography to a key/value for example by providing a symmetric or asymetric hash as an additional cookie.
As always I destroy my reputation by posting here. Dissent is expected.
[Edit: I deleted this post before subsequent comments and then restored it.]
Im not sure, but I think the domain has to point to the load balancer and that one points later to each app server. So the load balancer gets the cookie and forwards the requests to the server from the cookie.