The gadget has now been adjusted to show a message coming from the server - time and login details. This demonstrates third-party cookies work on a content-type=html gadget. The third-party content arrives via JSON and you should note that this is for proof-of-concept only; it's dangerous to offer privileged (i.e. cookie-qualified) services/data via JSON.
This is a content-type=html widget, meaning that the iframe is served from Google's server, so the cookie coming from my server is a third-party cookie. There's an equivalent content-type=url widget available too, which simply issues XHR calls back to my server, because the iframe itself comes my server.
Exploring different styles of widget architecture and invocationDigg Roundup