Accepting cookie for authentication override fails and users must enter login credentials on the GlobalProtect gateway. This scenario is valid if you are generating an authentication cookie on the portal and accepting it on the gateway, so users are not prompted to enter the gateway credentials until the cookie lifetime expires.
Diagnosis
System logs
+++++++++
(description contains 'GlobalProtect gateway user authentication failed. Login from: X.X.X.X, Source region: 192.168.0.0-192.168.255.255, User name: , Client OS version: Microsoft Windows 7 Enterprise Edition Service Pack 1, 64-bit, Reason: Cannot decrypt cookie, Auth type: cookie.' )
Cookie is encrypted by the certificate key used on the portal and if we use different certificate on gateway to decrypt the cookie it will fail.
Resolution
Make sure the same certificate that was used to encrypt the cookie on the portal is used on the gateway to decrypt the cookie file.