new SSO broken on some sites

E.g.

[Thu Nov 12 11:05:00.227047 2020] [auth_openidc:error] [pid 48] [client 81.28.197.181:32864] oidc_handle_authorization_response: invalid authorization response state and no default SSO URL is set, sending an error...
[Thu Nov 12 11:05:00.424341 2020] [auth_openidc:error] [pid 47] [client 81.28.197.181:60744] oidc_cache_shm_set: could not store value since value size is too large (%lu > 28940); consider increasing OIDCCacheShmEntrySizeMax
[Thu Nov 12 11:05:00.617594 2020] [auth_openidc:error] [pid 45] [client 81.28.197.181:33480] oidc_crypto_aes_decrypt: EVP_DecryptFinal_ex failed: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
[Thu Nov 12 11:05:00.617631 2020] [auth_openidc:error] [pid 45] [client 81.28.197.181:33480] oidc_base64url_decode_decrypt_string: oidc_crypto_aes_decrypt failed
[Thu Nov 12 11:05:00.617749 2020] [auth_openidc:error] [pid 45] [client 81.28.197.181:33480] oidc_restore_proto_state: no "mod_auth_openidc_state_8Fcy7ASbpOZZqDDiAggCpaEtt-Y" state cookie found
[Thu Nov 12 11:05:00.617779 2020] [auth_openidc:error] [pid 45] [client 81.28.197.181:33480] oidc_unsolicited_proto_state: could not parse JWT from state: invalid unsolicited response: [src/jose/apr_jwt.c:177: apr_jwt_base64url_decode_object]: JSON parsing (json_loads) failed: unable to decode byte 0xf0 (\xf0W2\xec\x04\x9b\xa4\xe6Y\xa80\xe2\x02\b\x02\xa5\xa1-\xb7\xe6)\n
[Thu Nov 12 11:05:00.617786 2020] [auth_openidc:error] [pid 45] [client 81.28.197.181:33480] oidc_authorization_response_match_state: unable to restore state
[Thu Nov 12 11:05:00.617788 2020] [auth_openidc:error] [pid 45] [client 81.28.197.181:33480] oidc_handle_authorization_response: invalid authorization response state and no default SSO URL is set, sending an error...
[Thu Nov 12 11:06:59.175187 2020] [authz_core:error] [pid 5684] [client 2001:1458:d00:40::100:97:60314] AH01631: user admkst@cern.ch: authorization failure for "/lpgbt/v0":

I've seen this on my dev cluster as well webeos-proto (with authz-dev).