Following Apache configuration snippet separates JSESSIONID cookie for secure and insecure acces.

rewrite.conf

# required modules:
# * setenvif
# * rewrite
# * headers

SetEnvIf Https-Header "1" is_https=1
Header edit Set-Cookie JSESSIONID=(.+)$ "JSID_SECURE=$1; secure" env=is_https
Header edit Set-Cookie JSESSIONID JSID_HTTP env=!is_https

RequestHeader edit Cookie JSID_SECURE JSESSIONID env=is_https
RequestHeader edit Cookie JSID_HTTP JSESSIONID env=!is_https