The Mendix runtime itself does not know whether you are using SSL, because that is handled by the front-facing web server (IIS or Nginx). In order to get secure cookies from the runtime, you have to configure the front-facing web server to add the 'X-Forwarded-Scheme' HTTP header to all requests forwarded to the runtime. The value of the header should be 'https'.
Edit: I didn't see your comment on Chris's answer until after I answered. This is indeed part of the security checklist documented here. If you correctly configure the reverse proxy to add the 'X-Forwarded-Scheme' header to all requests forwarded to the Mendix runtime, the runtime should send secure cookies.
will this help?