Cookies are transmitted in the headers during web requests, so if you are using SSL your cookies will be encrypted in transit just like the rest of the data.
edit: It's worth mentioning that the SecureFlag forces the cookies to only be sent over SSL. I don't know what kind of behavior you would see on a non-ssl session with that flag set though.