My architect got back to me.
"I stand corrected. It appears that this does work. I was lead to be believe that this could not be done in Apache, because Apache was the SSL endpoint, but not the creator of the cookie. However, it actually makes sense that this CAN be done."