I encountered the same issue and have made some modifications to /packages/acs-tcl/tcl/security-procs.tcl to handle this. I'll do more testing.
My modification allows a cookie domain to get sent through if there is one, does NOT set a domain if the hostname is an ip address, or will send .domain.com when the cookie is set.
Logging in and Logging out works properly across domain.com/www.domain.com. I have more testing that I'll do, and if it works as it should, I'll post a diff
