This is still reproducible on OCP v3.7.44 by following these steps:
1) Open tab A to the console, let it redirect you to the login page, DO NOT LOG IN
2) Open tab B to the console, let it redirect you to the login page
3) Complete the log in from tab B, it will succeed
4) Complete the log in from tab A, it will fail wth "Client state could not be verified"
The fix within the origin-web-common (PR ) repo is included only for versions 3.7.1 and 3.7.2 but not for 3.7.0, I'm wondering if we can check whether the correct origin-web-common repo was taken for v3.7.42+.
The steps you list are expected. See
> What this will not change - once you log in through any of the tabs, the nonce will be destroyed so that it can not be reused, this is an intentional security measure. This means any other tabs still sitting on the log in page, you will not be able to just log in on those tabs, you will need to hit the back button to go back to the console.
Confirming that are you are able to login in using one of the tabs? It's only the second that fails?
Closing since this is working as intended based on the description.