If by state you mean things like what page the user is currently on, or some non-persistent data, you could encode that into the state param in Step 1, and when the user is returned to your redirect URL it’ll include that same state param, allowing you to decode whatever state data you put there. This allows for things like if a user tried to load /some/path, but wasn’t logged in, you could store that in the state and when they get back you can return them to /some/path.
This is what can allow the login of a site to be seamless to the end user after the first time they have logged in, as it allows you to send them through the OAuth flow each time their session expires, and have them end up exactly where they are meant to be, and if you don’t use the force_verify param, then as long as the user hasn’t disconnected from your app the whole process will be almost transparent to the user.