browser-reports Http Referer header with the domains/urls submitted for your particular setup.   Payment Gateways should pass it back to next integration layer.  Check your payment configuration to pass it.    Dispatcher just acts as proxy & does not add anything.  If required you can fake using rew...

At CQ you need to custom implement for specific url.   In general AEM relies on web application/server firewall to protect.For your usecase use referrer header-based solution which can either be achieved using mod_rewrite [1] or something more elaborate like mod_security [2] on the webserver tier.[1...

Issue (CQ5-11022) has been filled.

AFAIK oob no option to have dynamic participant steps to have delegation. Please file daycare with your business case.

http://helpx.adobe.com/experience-manager/kb/invalidpollingconfiguration.html

Please file daycare & looks like a bug. 

Your cookie & config looks right to me. Please try [1] & also file daycare ticket.[1]  *   At start of dispatcher did you see message "Sticky Connections enabled"*   Just as a trial can you rename the renderid with underscore & see if it works. Just suspecting is the parser considering underscore to...

Have you by any chance configured failover in dispatcher.any ?

This could happen when a mobile page is opened for the first time & bug is filled (CQ5-34469). Refreshing page is one of workaroun. Please file daycare if it is impacting you. 

This message is logged with a warning, because in theory such case shouldn't happen (ie. the item should not be in the cache). In practice, the crx access manager causes such warn messages & can be ignored. Are you using IBM JDK.  If you can reproduce please file daycare ticket.