Let's start with reviewing the Wikipedia paragraph on this subject.
The scenario for CSRF defense would not work in the face of HTTPOnly. BUT - I can circumvent this defense by placing CSRF attack code on a cross-site that reads the cookies out of an XHR header (since they are not httponly for this defense), and adds it to the post manually. This lets an attacker circumvent double click defense!
Now, as browsers handling of XHR matures, the validity of this claim gets stronger (the claim that double-click defense is good).
IE lets you read cookies out of XHR request headers (that are not httponly) which would let an attacker circumvent the double-cookie defense like I described above. FireFox is vulnerable to this defense too, prior to 220.127.116.11. Starting with FireFox 18.104.22.168, cookies - any cookies - are no longer included in Firefox XHR response headers.
In a world where you can no longer read ANY cookies from XHR headers, AND httponly is in widespread use - I can see an argument to not use HTTPOnly depending on the risk - which is why implementers for server side products should provide options to disable HTTPOnly! :)