Drupal Association members fund grants that make connections all over the world.
When the ESI module calls setcookie(), it omits the domain parameter. On a Drupal site spanning multiple subdomains, normally session.cookie_domain is set to the top-level domain (eg. ".mysite.com") so the user remains signed in across all the domains. The problem is the roles cookie doesn't exist on other subdomains even when they're signed in, so they see the logged out version of the ESI block on those domains (if the page is cached and they don't hit esi_init()).
Instead of just patching up this one missing parameter, I've created a patch that uses session_get_cookie_params() to get all the data the cookie needs and merge that with the cookie settings. I've also added a call to drupal_alter() in case any sites may need to do something special with the cookie settings.
Let me know if you see any issues with this approach.