...
Only give up on the cookieProps change as a last resort. I'm not aware of any situations in which one of the above mechanisms won't work, and the additional protection of limiting the cookie to SSL is substantial. It's only omitted by default because so many people end up with loops and complain to the support list.
Requests bouncing without scheme change
If Apache 2.4 is involved, check the Apache Virtual Host. If the protected <Directory> or <Location> has a
Require all granted
directive, remove it and restart Apache.