If you are, in fact, sure that the cookie-jar is working properly (i.e. you can s-h-o-w that it contains a cookie a-n-d that the cookie is being sent back to the host ...) then pretty-much the only other alternative is that the host has added something to the returned URL-string. To conclusively figure out what is going on ... how the single-sign-on trick was done ... you must look at the actual HTTP post/response streams that are passing back-and-forth between the host and your Perl program. But first, aggressively adopt the stance of “trust, but verify.™” Do not “assume” one single thing to be the case until and unless you can prove it to be so.
(Be prepared, thereafter, to feel the urge to say “d’oh!” ... but do not actually imitate Homer Simpson when that (inevitably) happens.) :-D