Changes to OWIN Middleware on version 12.1.x`

Not sure what you are actually referring to, community does not use OWIN libraries, and if it was not a specific community API, there is not really a guarantee of upgrade safety.  IN terms of auth, not sure which secure cookies you are referring to.  If a site is running SSL, community should be marking cookies secure already.  In terms of authentication cookies, that and SSO were completely overhauled in 12.1 and the application is no longer forms auth based, it is also internally managed.

We had a custom AAD Dual auth implementation that used an OWIN startup class.  After moving to 12.1, the cookies it was writing stopped working.

I'm wondering if the out of the box OpenId provider could work.

We had a custom AAD Dual auth implementation that used an OWIN startup class.  After moving to 12.1, the cookies it was writing stopped working.

I'm wondering if the out of the box OpenId provider could work.

OpenID works with Okta or Azure AD, other services are may work but not verified/tested.   In terms of SSO, there is extensibility using IAuthenticationPlugin(v3), this and the previous versions were the only supported way to achieve SSO.

You will not get Dual Auth using OpenID.   It might be possible in the new framework to achieve dual SSO, but you would have to write an IAuthenticationPlugin implementation and have something that tells the login process not to redirect.