Also I checked proc that I assume writes the session cookie 'sec_generate_session_id_cookie' in acs-tcl/tcl/security-procs.tcl and there is an ns_log in there that i expected to see in log...
ns_log notice "Security: [ns_time] sec_generate_session_id_cookie setting session_id=$session_id, user_id=$user_id, login_level=$login_level"
... but the line never appears even on the site that is working - is this proc not the one that writes the session cookie?