I have contracted places where that would be a very formal request with tons of meetings and approval flows across purchasing, it security, website ops, the design/branding team, etc. Weeks of lead time required.
Basically, the request signals all the little fiefdoms that it's their chance to weigh in.
The first one that comes to mind would be to invalidate all existing cookies so that the ones accessible to the other server aren't useful. I wouldn't call that the "best" since invalidating cookies can be annoying for users, but I'm sure there are other ways.
If a user has a cookie for example.com (your domain) and type in vendor.example.com in the web browser how would you invalidate these cookies before they are sent to the vendor? Or even after they are sent? I struggle a bit with seeing how this could be done in a secure manner.
Never underestimate how incompetent people can be. When I was waiting for my South African Visa application to go through, I had to check the status at a scammy-looking url. The form would reload if you pressed enter and pressing tab after the ID field would set the focus to the logo above it instead to the password field below.
