Good question, Abdul. Change of plan.
On second thoughts, do not modify the server.xml file as I suggested. That is all too heavy-going and clumsy. There has to be a simpler solution.
There is one thing I know. Tomcat is configured to automatically flag the JsessionID cookie as secure when it detects HTTPS. The question is, why it fails to set the flag in your case. Let us look into this some more.