When we are using SSL, there are two session ids and they are put in two separate cookies. _wl_authcookie_ is a secure cookie.
All SSL requests should contain both cookies otherwise the request will not be considered as authenticated. Non SSL (HTTP) requests needs to contain only the JSESSIONID cookie.
The sad thing is that WebLogic's implementation of URLConnection's 'getHeaderField("Set-Cookie")' returns only one cookie (whichever comes first). If you want to get both cookies you need to use 'getHeaderFields()' and look for the entry with key "Set-Cookie". To set cookie we need to use URLConnection.setRequestProperty("cookies") and we need to pass both cookies with semi colon (;) as separator.
If cookies are disabled then URL rewrite shall be used for session tracking. However you don't need to pass both cookies for SSL; only the JSESSIONID cookie will do. With SSL, URL rewrite will work only if either of the following is configured
1) EnableCookie=false in weblogic.xml
2) AuthCookieEnabled=false in config.xml