Maybe I'm missing something but you can't separate you're session and authentication with a different subdomain? Eg. My session on corp.paypal.com would be locked down to solely corp.paypal.com.
From a practical sense, what different does a subdomain and a dedicated domain offer if you're managing your certs correctly?
You can, but a lot of people lack the discipline to do so correctly. I'd prefer them to use corp.paypal.com, but as a security guy it's easier to just get them a separate domain and let them have their less-secured stuff completely isolated.
You can, but is difficult and prone to errors. Separate domains solve the root cause of the issue. The alternative is an entry on the public suffix list.
Which would not be easy to get, considering PayPal is not running a public suffix.
you can request entries on it, the list is not just for TLDs
Yes, but the list is for public suffixes, i.e. domains under which users can get their own subdomains.