On an Apache test server, our vendors were able to achieve what we needed by setting
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None
