This has been fixed in the meantime, by having a JSESSIONIDVERSION response cookie inherit the security setting of the incoming JSESSIONID cookie, instead of the security setting of the request (HTTP vs HTTPS).
See
https://glassfish.dev.java.net/issues/show_bug.cgi?id=7414 for details of the fix.
However, it seems that when a cookie is included with a request, it is never marked as secure, even if the corresponding response cookie was.
As a result of this, JSESSIONIDVERSION cookies will always be non-secure, which is essentially the same as the workaround suggested by Adam, except that no configuration changes in sun-web.xml will be required.
[Message sent by forum member 'jluehe' (jluehe)]
http://forums.java.net/jive/thread.jspa?messageID=350979