As per the aforementioned thread:
"If you use HTTPS exclusively, then it is a good idea to set the "secure" flag on the cookie. You can do this by overriding the setCookie method on the AbstractRememberMeServices implementation you are using."
This is as simple as adding a single line to AbstractRememberMeServices.setCookie():
cookie.setSecure( request.isSecure() );
With this snippet, when the request is made from a secure context, the cooke will be sent with a 'secure' attribute set. This could be made optional with a configuration flag; I just think its messy to require clients to override this class for such simple functionality.