What is the name of the specific cookie? Let's assume it is called "foo", then I would suggest you use the following updated version that Josh provided -
SecRuleUpdateTargetByTag "WEB_ATTACK/XSS" "!REQUEST_COOKIES:foo"
SecRuleUpdateTargetByTag "WEB_ATTACK/SQL_INJECTION" "!REQUEST_COOKIES:foo"
This would exclude that specific cookie value from being inspected by any of the XSS or SQLi rules.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information
contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.