Проверить RFC 6265 HTTP State Management Mechanism, 5.1.4. Paths и Path-Match :
A request-path path-matches a given cookie-path if at least one of
the following conditions holds:
o The cookie-path and the request-path are identical.
o The cookie-path is a prefix of the request-path, and the last
character of the cookie-path is %x2F ("/").
o The cookie-path is a prefix of the request-path, and the first
character of the request-path that is not included in the cookie-
path is a %x2F ("/") character.
Он не упоминает об обработке подстановочных знаков, поэтому нельзя использовать подстановочные знаки в пути.