I actually don't see any place in RFC 2695 which specifies (or
prohibits) a specific delimiter inside a cookie (I could be
missing it, though; any pointers would be helpful).
RFC 2965 points to the RFC 2616. 2616 states (around page 16) what is valid in a token and what is a delimeter. If there is a delimeter in the value, it needs to be placed in quotes. I noticed that ACS 4 doesn't have quotes around the value. I wonder if that would solve your WAP issue.
I'm not familiar with the OpenACS 3.2.x code, but in ACS 4.x
we introduced a set cookie abstraction procedure
(ad_set_cookie).
ad_set_cookie is in 3.2, but not used in ever place. Some code set the cookie headers directly.