In the fb developers docs for oauth authentication api - in the confirming identity section it has this note:
Note that you can also generate your own state parameter and use it with your login request to provide CSRF protection.
Can you help clarify what exactly is the meaning behind this? I mean how will I use a state parameter even if I generate one? Do I encode it as a part of the auth request url? What purpose will it serve even if I did that?
Do I encode it as a part of the auth request url?
Yes. It's also mentioned here in that document, as an optional URL-encoded parameter.
Whatever value you provide will be included in the URL of the redirect response that Facebook returns. It's a way, therefore, for you to pass some value through to your server.
What purpose will it serve even if I did that?
Since the value is simply passed between your app and the server, it's up to you to decide what, if anything, to do with it. The example mentioned is CSRF protection. By including a unique token as the state parameter you could ensure that the call to the server came from your app, rather than some malicious site.
(I don't think this is widely used, though, since the requirement to verify the authorization code or access token deals with most attack vectors.)