not sure why this thread was marked as a resolved, this is a very long standing*, let's say feature, which fortunately does not affects the entire world. yet.
only _logged in_ wp.com users who want access 'myriad delights' of .com hosted domain-mapped blogs are lucky subject of being an open jar for cookies from external to .com domains.
quote from Joseph @ WordPress.com to kimik0:
The .wordpress.com cookie
is for the blue menu panel along the top of the page.
in fact, we can see as a wp.com domain-mapped host wants to send us a cookie for its own domain, which is not allowed by default (what is a Right Default Thing for many reasons). then it probably tries to get it back and fails with a cryptic "Invalid key" message.
so it's not exactly an original ".wordpress.com" cookie -- it is rather a foreign one from a perfectly stranger.
no-cookie solution: turn off JS on accessing a domain-mapped .com blogs.
GET /remote-login.php?login=0xbad HTTP/1.0
HTTP/1.0 302 Found
Set-Cookie: wplogin=%%%% path=/; domain=changingway.org
*) I couldn't get to Scobleizer's blog for this matter almost year and half ago.