There's a new bug in iOS 10, specifically in the Mobile Safari web browser. For some reason, it no longer correctly implements HTTP Digest Auth protocol. I've had to create a tiny work-around for this bug.
At first I suspected this bug was introduced on purpose to break iPhone webapps that Apple isn't receiving money from. But actually that's unlikely because Apple should have done something much more broadly effective if that were their purpose. More likely it's just due to a poor understanding of the protocol. Digest Auth is another untouchable mystery to a lot of people out there on the Web, it seems.