I got it working. After reading below post by @tommy
The mistake I was making was not including the domain (i.e. app.domain.com) in whitelist url.
Thanks!