[hsbc] Sturdy handle_otp by adding otp_form to states

Because relogin or ActionNeeded can happen during the handle_otp, solely
relying on the presence of the otp config value may cause some issue. We
might already have validated the otp once but we will run handle_otp
once again.

Also using locate_browser() when handling otp can lead to weird
behaviour. In our case it leads to unavailable page.

To fix this we don't use locate_browser() anymore, instead we store the
otp_form_data and otp_validation_url to use them in handle_otp. We also
use their presence in states to be sure that it's the first time we call
handle_otp.

Closes: 337@sibi