In order to ensure IAC functionality in a secure environment, the following updates were made: HTTPOnly support has been enabled for prGatewaySESSIONID cookies; encryption and obfuscation have been set up for web nodes; added a check for login-config.xml to add default-users.properties and default-roles.properties to the other application-policy.

There is no current mechanism to accomplish this and setting HTTPOnly to true would render the cookie useless.  Does this cookie design was removed in PEGA 7.1.7?