While I can file an issue to investigate the difference in cookie order, my question would be, why is your application sending 2 cookies with the same name in the first place?
I don’t think that’s the actual issue. The actual issue is the one that you brushed off as you should not have 2 cookies.
Here’s the official HTTP standard: RFC 6265: HTTP State Management Mechanism (rfc-editor.org), quoting:
To maximize compatibility with user agents, servers SHOULD NOT produce two attributes with the same name in the same set-cookie-string.
If you do that, it’s up to the browser to pick the header as described in this section: RFC 6265: HTTP State Management Mechanism (rfc-editor.org)