With CDA, even if service url is https, cookie secure flag is not set for the second domain
a mistake in handler/Simple.pm on line 960
my $redirectHttps = ( $redirectUrl =~ m/^ĥttps/ );
look at it closer : there is a ĥ !!! and not a h
so the correct line is :
my $redirectHttps = ( $redirectUrl =~ m/^https/ );
the bug induced by this syntax error is that cookie generated for the second domain in cross domain situation will never have the secure flag set even if the service url https
patch joined