Is it possible to set the "Secure" and "HTTPOnly" attributes on the s_fid cookie that is used by omniture? I have only found references to it in AppMeasurement.js beneath these lines:
I looked through some of our engineering notes and it looks like this was addressed for Analytics a few years ago. Is this specific to DTM? If so, I'd suggest opening a ticket with Client Care. They can create a bug for the DTM team to look further into it.