The options in the CSA for Use Secure Session Cookie and Use HTTP Session Cookie are responsible for the piece at the end of the line where it says ";Secure;HttpOnly".
I haven't seen anywhere where we add the ";secure;" keyword into individual parts of the cookie after each token, but that doesn't mean it doesn't happen somewhere (given that it seems to be complaining in the app-ca.log when this cookie set directive is being added to the response, maybe it does).
I also couldn't find where we would set a cookie with the userLocale key/value and an expiry date associated with it (I went through advanced reporting and exporting to excel as part of that coverage too), but somewhere within Jaspersoft / Advanced Reporting is most likely based on some test cases I saw.
Maybe we can learn more about that in time, however for the meantime if it is preferred to suppress this message in some places (e.g. for production environments) then you may want to add a logger category name of org.apache.http.client.protocol or org.apache.http.client.protocol.ResponseProcessCookies and set it to ERROR level. Lacking an environment I can currently reproduce this on, I'm taking a small leap of faith that those log changes will work, but based on what I was seeing here it seemed it would: http://stackoverflow.com/questions/3248528/how-do-i-turn-off-warning-messages-in-httpclient-for-log4j
Also are you seeing this with other cookies being set or only the examples of userLocale / Expires combinations?