This article describes the step needed to set the secure flag on the episerver login cookie.
Setting “requireSSL” on the EPiServer login form in the web.config resolves the issue.
<forms name=".EPiServerLogin" loginUrl="Util/login.aspx" timeout="120" defaultUrl="~/" requireSSL="true" />
<%= heading %>