Oracle (acquired BEA Jan 08) Weblogic is not playing ball at all: http://coding-insecurity.blogspot.com/2008/12/oracle-just-doesn-get-it.html
Apache Tomcat JSESSIONID Cookie: A developer submitted a patch to Apache Tomcat, which is close to going live in Tomcat 7 for sure soon (aiming to be a 3.0 servlet container). The core developers are voting to decide on whether to include HTTPOnly support for Tomcat 5/6 right now. https://issues.apache.org/bugzilla/show_bug.cgi?id=44382
IBM Websphere: (Sept 08) "WebSphere Application Server has been modified to properly recognize, accept and process HTTP-Only cookies. This support is targeted for fixpacks 220.127.116.11 and 18.104.22.168. Please review the recommended updates page at http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27004980 for more information."