今まで見逃してたけど、CookieMonsterの対策方法はRFC2965に書いてあった。
http://www.ietf.org/rfc/rfc2965.txt

7.2  Cookie Spoofing

   Proper application design can avoid spoofing attacks from related
   domains.  Consider:

      1. User agent makes request to victim.cracker.edu, gets back
         cookie session_id="1234" and sets the default domain
         victim.cracker.edu.

      2. User agent makes request to spoof.cracker.edu, gets back cookie
         session-id="1111", with Domain=".cracker.edu".

      3. User agent makes request to victim.cracker.edu again, and
         passes

         Cookie: $Version="1"; session_id="1234",
                 $Version="1"; session_id="1111"; $Domain=".cracker.edu"

         The server at victim.cracker.edu should detect that the second
         cookie was not one it originated by noticing that the Domain
         attribute is not for itself and ignore it.

自分が発行したCookieのDomain属性は自分で認識出来るので、怪しげなCookieが送られてきたらはじくことが出来ますね。
ブラウザはSet-Cookie2を実装すべきだと思うんだけど、今のところ対応しているのはOperaぐらい？