We do use cookies post-login with a single authentication application. The login app is something other apps just "plug-in", due to it's design (I wasn't there then, and am just getting my feet wet with it now) it authenticates then redirects to the appropriate system they were logging into (many of which are not https).

This SSL hosted redirect causes netscape to put up a dialog, but has no "check here to not ask again" so the user can avoid getting it next login.

On the certificate, the users are only being asked once a year (or if their machines are re-genned, new computer, etc). Aparently that is just too often...go figure.