diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcCookieTokenStore.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcCookieTokenStore.java
index 927f87eb66c..88d37b90bcf 100644
--- a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcCookieTokenStore.java
+++ b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcCookieTokenStore.java
@@ -36,7 +36,8 @@
 public class OidcCookieTokenStore implements OidcTokenStore {
 
     private final OidcHttpFacade httpFacade;
-    private static final String DELIM = "___";
+    private static final String DELIM = "###";
+    private static final String LEGACY_DELIM = "___";
     private static final int EXPECTED_NUM_TOKENS = 3;
     private static final int ACCESS_TOKEN_INDEX = 0;
     private static final int ID_TOKEN_INDEX = 1;
@@ -206,7 +207,13 @@ public static OidcPrincipal<RefreshableOidcSecurityContext> getPrincipalFromCook
         String cookieVal = cookie.getValue();
         String[] tokens = cookieVal.split(DELIM);
         if (tokens.length != EXPECTED_NUM_TOKENS) {
-            log.warnf("Invalid format of %s cookie. Count of tokens: %s, expected 3", OIDC_STATE_COOKIE, tokens.length);
+            // Cookies set by older versions of wildfly-elytron use a different token delimiter. Since clients may
+            // still send such cookies we fall back to the old delimiter to avoid discarding valid tokens:
+            tokens = cookieVal.split(LEGACY_DELIM);
+        }
+        if (tokens.length != EXPECTED_NUM_TOKENS) {
+            log.warnf("Invalid format of %s cookie. Count of tokens: %s, expected %s", OIDC_STATE_COOKIE, tokens.length, EXPECTED_NUM_TOKENS);
+            log.debugf("Value of %s cookie is: %s", OIDC_STATE_COOKIE, cookieVal);
             return null;
         }
         String accessTokenString = tokens[ACCESS_TOKEN_INDEX];