Just to clarify that I am not missing something important - you want to achieve the following:
Client goes to https://app.example.com (Resource Server).
Is redirected to https://auth.example.com (Authentication Server), client authenticates with <whatever>, receives token.
Is redirected back to https://app.example.com and authenticates there once with the token received from the Authentication Server.
The client then receives the APM cookies and no further token is required.
Is that correct? Because I got this working with your settings from above.
Only thing I have different is the cookie settings and some minor stuff like username instead of mail.
Anything obvious that might be off in your config? Like mixing http and https or IP and FQDN, or something off with your DNS config in apm-dns-resolver?