I'm not reallysure, but can you try to add this on your web.xml
Thank you Guinot,
it works with 3.0 version of web.xml.
I had to update all my wars/ears depending on the environment, comparing to a single configuration change that was required with JBOSS 5,6. The settings of cookie protection are the same for the whole JBOSS instance, it was a good idea to allow global configuration of session cookie in JBOSS5,6, this feature is most likely missing in JBOSS7.