2. How does it work?
This is just a brief summary glossing over many details. For the full story see the Webauth protocol specification.
When a browser connects to a Webauth protected service for the first time, no Webauth service cookie is presented so the server redirects the browser to the Webauth login page. After successful authentication the Webauth login server sets a cookie that will be returned to the Webauth login server and proves to the Webauth login server that the user has successfully authenticated. The Webauth login server then redirects the browser back to the Webauth protected service. The redirect contains information that proves the identity of the user to the Webauth protected service and allows the service to set a cookie that will be presented on subsequent visits.
When a browser visits a second Webauth protected service no service specific cookie is presented so the browser is redirected to the Webauth login server. However, this time the browser presents the cookie previously set by the Webauth login server. This proves the identity of the user to the login server so it can immediately redirect the browser back to the second service along with the additional information required for the second service to set a cookie used for subsequent visits.