I think I misused the word "session."
The protocol specifies several different response types. My client can request a code, token, or id_token or a combination of the three, according to the OIDC specs (and Gluu's own API docs) - and I was actually asking about the lifetime of the code or token.
I understand that browser sessions are a completely different piece of the puzzle.
This is my first time setting up SSO, and I'm not all that familiar with OIDC, so please do not hesitate to correct me if necessary.