I believe all cookies are URLencoded as of ACS3.3, but it might be worth double checking.
Thanks for the pointer on this, Andrew. Your suggestion fixed the problem with logging in that I was encountering on my phone.
Since we're working off of the ACS3.2 code base, cookies are not URL encoded. To fix this, I have included a modified version of ad-security.tcl in the latest version which ns_urlencodes and decodes the ad_user_login and ad_session_id cookies. The modifications to ad-security.tcl also take into account the fact that you might have users running around with non-ns_urlencoded cookies.
Again, ad-security.tcl is not placed in the ./tcl directory by default, JIC you happen to have a modified version. Also, one thing I forgot to mention in my previous post: you must copy parameter file settings for this module from the ./doc/wap.html file into your ./parameters/servername.ini file.