It should not be necessary to store more state attributes just to support the authentication API. The same session attributes should cover both API and non-API requests.

You can also wrap an API-capable adapter in a PingFederate-managed authentication session. PingFederate-managed authentication sessions mean that many adapters no longer need to provide their own internal session tracking.