First of all, there's a difference between "concurrent user licensing" and "concurrent access sessions".
Concurrent user licensing is the number of licenses
purchased to provide remote connectivity such as SSL VPN, app tunnels, portal access. This does not generally include AAA (authn, authz, acct) functions.
Concurrent access sessions is the total number of sessions that can be maintained on the device per platform. This number includes everything.
When a browser connects to an APM VIP for the first time it is given a session token (cookie) for that session. When the user makes requests, that cookie is relayed to the APM VIP to maintain the application session. The session itself is a record in a table. Concurrent access sessions then is the total amount of table records that a platform can maintain, concurrently. Throughput is not relevant to this equation. One browser with one session cookie equals one session, regardless of throughput requirements. Now, should a user open multiple applications, they could indeed generate new sessions, and it's reasonably a good idea to find a way to "share" the session among the applications (single sign-on, domain cookies, multi-domain configurations, etc.) so that essentially one browser with multiple tabs open will store one session cookie that applies to all (or some) of the open applications.