As per TPM Library - Part 1: Architecture - Section 21.1 Session-based encryption - Introduction:

If a session is also being used for authorization, sessionValue (see 21.2 and 21.3) is sessionKey || authValue. The binding of the session is ignored. If the session is not being used for authorization, sessionValue is sessionKey.

sessionValue is passed as the key parameter to KDFa to generate the key and IV for CFB mode parameter encryption. However the code just passes sessionKey and ignored authValue.