I receive a Token Expired error message when returning from a supplier's PunchOut catalog.

Multiple scenarios can cause this error:

1. The buyer's URL they're using to access the catalog is the deprecated s1-2.ariba Front Door.
2. The session's BuyerCookie value from the POSR is not maintained on the POOM returned by the supplier.
   1. When you start a PunchOut session in the catalog, the supplier's PunchOut catalog stores BuyerCookie information in the order. If you end the PunchOut catalog session and start a new PunchOut session later to complete the catalog shopping process, the site continues with their previously created order, which includes the old session BuyerCookie information to submit to your Ariba Procurement Solution.
3. Supplier uses cross site cookies, which the latest versions of Chrome and Edge Browsers are restricting.
   1. The Chromium project made changes to how cookies are handled in winter of 2020. Details on this change can be found in KBA 186196. Users in a Chrome version prior to 90 could disable samesite cookies in order to avoid being impacted, however, as of version 90, samesite cookies can no longer be disabled.

Depending on which scenario below applies to your situation, one of the following actions may need to take place:

1. Ensure you are using the correct Front Door URL of s1.ariba
2. The supplier needs to resolve this type of issue within their PunchOut catalog, with Ariba's help in gathering logs. Analysis of the PunchOutSetupRequest (POSR) and PunchOutOrderMessage (POOM) can determine if the BuyerCookie value is maintained throughout your PunchOut catalog session.
3. Please see KBA 186196.

Catalog Management
Catalog Management > APC
Catalog Management > Punchout Catalog > Punchout Catalog Ordering