User name associated with cookie in client connector

My organisation has implemented ZIA services and used a perpetual authentication cookie to authorise use for ZIA. The user base is using Client connector to provide Zscaler services.

The issue is that the UPN for users has been changed on our domain. All users now show an incorrect UPN in the Client connector. This still authenticates but has led to an issue when we have begun to provision ZPA services. the ZPA service is trying to associate with the new UPN but the client connector is still associated with the old UPN. Due to this mismatch, we cannot provision seamlessly.

query: Is there any method of forcing the Client connector authentication cookie to refresh without asking all the user base to press login on the client Connector GUI?

The issue is that if we simply remove the affinity between user and the device in the client connector portal, all users will be logged out of the client connector and this will then fail open until a manual login is selected by the user. This compromises the users security protection without the user being aware and could lead to a breach.

Ideally a solution would create a situation where the client connector cookie can be expired and Single Sign on would take place to generate a new authentication cookie. The new authentication cookie would generate with the updated UPN. This would allow ZIA and ZPA to integrate effectively.