Currently the cfapplication is missing the attributes sessioncookie and authcookie meaning the developer has no control over the cookies set by cfapplication, see Adobe doc for details on attributes:
This would allow, for example a developer to set the cookie to a domain, be httpOnly, secure, etc... e.g.:
Google Group discussion here:
This is also related to this change here:
Which made CFID and CFTOKEN always be httpOnly cookies.
Also some background on setting a cookie as secure: