For most of them may be its a silly question but I want it to know this in very simple language.
If an application is not using CORS at all then should we put this SameSite cookie attribute?
and if Application has subdomain like abc.domain.com then what is the role of Samesite attribute ?
What is the connection between CORS and SameSite cookie attribute?
Basically nothing. SameSite is relevant with or without CORS, and CORS (even CORS with credentials) is relevant with or without SameSite. The only way they interact is that a cross-site (in the cookie sense, which is not always the same as cross-origin) request - which might be CORS-with-credentials - will not have SameSite-flagged cookies included.
If an application is not using CORS at all then should we put this SameSite cookie attribute?
Yes. Use SameSite any time you don't need other domains to make requests using your cookies (which can be done without CORS e.g. via form submissions, or without waiting for a CORS response from the server via "simple" CORS requests). You should also use other CSRF prevention though, especially if you don't fully trust every all content on every subdomain of your root domain.
if Application has subdomain like abc.domain.com then what is the role of Samesite attribute ?
SameSite treats all subdomains of the root domain (where "root domain" is determined using the Public Suffix List, but in this case would be "example.com") to be equivalent to the root domain, so "abc.example.com", "www.example.com", "totally.hostile.subdomain.example.com", and "example.com" are all treated as the "same site" and setting or not setting the SameSite attribute will have no effect between them.
If an application is not using CORS at all then should we put this SameSite cookie attribute?
In a very simple language as you requested, YES.
if Application has subdomain like abc.domain.com then what is the role of Samesite attribute ?
Irrespective of domain and subdomains CSRF attacks will be able to originate the request from the browser to do an action on behalf of the user without knowing the cookie of the user. Samesite attribute can effectively protect against CSRF attack. There are other ways to protect against CSRF too but this is one of the easiest and recommended way to do it.
