Checking back in, the source of our problem is http/https related. We show our sites with http, but use SSL for the dashboards. Apparently this also makes Password Protected post passwords also be submitted via https, and thus the cookies are set to be sent only over secure connections.
This seems outside the scope of Domain Mapping, so I'll keep digging.
Cheers!