Tech assist went as far as they could and we begrudgingly accepted closed with the resolution that we have to add "arcgis.com" to trusted site for every GIS user who authenticates on our services with IE or Edge when they are used in AGOL web maps.
End users should NEVER have to suffer through getting this message:
Just because our case closed doesn't mean the software isn't broken. It just means there is a hugely expensive workaround resolution that we have to go through.
Additional information:
In testing we temporarily fixed it internally by moving the Web Adapters to the machine on which the GIS Enterprise component is installed and running IIS rewrite rules to that machine from the public Gateway. In our case having the Webadaptors on a Gateway appears to contributing to the problem (or possibly creating it). When the WA was on the component machine everything behaved normally.
We also messed with our IIS headers at the gateway in testing. It appears the Web Adapter when installed on the gateway IIS is creating a condition where there are multiple headers being injected into the web stream, not just the ones from the IIS configuration.
We set up and tested the the custom header for CORS "Access-Control-Allow-Origin" value="*" on the IIS even though this shouldn't be necessary if there are no restrictions required. It completely fixed the IE/Edge issue with AGOL.
Unfortunately, it broke everything else, all other authentication to the GIS services from other domains stopped working - everything except AGOL using IE/Edge.
Assessment of the web stream indicated a 2'nd CORS header being delivered from the IIS with a web adaptor installed on it. One header turning into two as if a second CORS header was already set up.
ESRI needs to hop on this one and get it fixed. This is certainly a problem for which their expertise and some software tweaking can contribute to a global solution.