which turned up to be due to the number of dots in the 'domain'. I've now made curl follow the the original netscape cookie spec less strict on that part.