David, I tried resetting the browser as you said, but to no avail. I also tried five other different browsers; all the same issue. Something has changed in CF10 and it seems to be to do with CFIDs and sessions. I know that the CF Admin no longer allows multiple logins using the same user id, but something else has changed in CF10 to do with session management. I tried a JVM parameter that returns sessions to their CF 9 mode, but that did not work either.
What I found out was that if I went to the login page securely, all subsequent secure pages retained the session, but insecure ones would not. So, I just made the login page use a http:// link in the form submission method, and that overcomes the issue since all subsequent pages are then http:// links. The solution seems to be make ALL pages served as either http:// or https://. Pages that are secure and post successively to other secure pages are fine, e.g. our e-commerce payment pages.
Very strange this, and no still no definitive workaround or response from Adobe. A cookie with the same domain should be served irrespective of the page being http:// or https://, indeed my own test pages show the same cookie is served in both cases.