Why does the cookiemonster not work?
Cookies and LocalStorage are not meant to be used cross domain, so the plugin or website using your widget will have to (the first time the user enters) log in. The credentials cannot (and should not) be visible cross domain.
How to use the same Cookies / LocalStorage cross domain
The user will at some point be asked to authenticate to your web API, with for example a username and a password. The token you return (credentials) can be set to the same token on all the sites that person is using.
Say user x comes in and ask your API for a token. Your API returns the token token123. User x now opens a new window and again asks for token with the same username and password. Your API will now see that x already has a session, and will return token123 again.
When user y comes along and ask for a token with a different username and password, the API returns token345 and stores it on the client side.
The tokens will be stored in LocalStorage or as a Cookie, so that the client can check if the user already has a token, or if it needs a new one from the API.
As for security
I would highly suggest for your users sake that you use a well used and defined method of authenticating users and send tokens. The best way would be to implement methods such as Microsoft Azure Active Directory, or Google Sign-In (There are multiple well used technologies out there). Storing tokens on your own server is not something you want to be doing. At least not passwords for users.
